Fortify Log Forging Issue
We are scanning our .NET application with Fortify and need to provide some information on why Log Forging issue does not apply to us. In our code we have the following pattern, of course it is not exactly as is, I've captured the essence of what we're doing:
public static void Write(object message)
LogEntry log = new LogEntry();
string MessageToAdd = message.ToString();
if (message.ToString().Length > MaxLength)
log.Message = message.ToString().Substring(0, MaxLength);
log.Message = message.ToString();
So basically, we control how log entry objects are created. We restrict the message or user input to 100 characters. Hence we think that Log Forging raised by Fortify is a False Positive. What do you all think?
Log forging is writing unvalidated user input to log files, which can allow an attacker to forge log entries or inject malicious content into the logs. By limiting the length of information, which is written to the log file will not prevent that; you have to do proper input validation.
Hence this is not a false positive.