Description
environment
- Android Studio version: Arctic Fox 2020.3.1 Patch 2
- Firebase Component: Crashlytics
- Component version: BOM 28.4.0
Steps to reproduce:
Veracode Issue CWE ID 117
Improper Output Neutralization for Logs
https://cwe.mitre.org/data/definitions/117.html
The issue has to do with Firebase's Logger.java class and calls to .d() and .w() related to javax.net.ssl.HttpsURLConnection.getInputStream.
Relevant Code:
We identified k4 as com.google.firebase.crashlytics.internal.Logger -> k4.f: in our mapping.txt file.
Attack Vector: android.util.Log.d and android.util.Log.w
k4/Logger.javaNumber of Modules Affected: 1
Description: This call to android.util.Log.d() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The second argument to d() contains tainted data from the variable p0. The tainted data originated from an earlier call to javax.net.ssl.HttpsURLConnection.getInputStream.
Remediation: Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.