Skip to content

Java: Improve java/log-injection with DEBUG/TRACE exclusion, URLEncoder sanitizer, and test file exclusion#13

Open
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-log-injection-urlencoder
Open

Java: Improve java/log-injection with DEBUG/TRACE exclusion, URLEncoder sanitizer, and test file exclusion#13
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-log-injection-urlencoder

Conversation

@mrigankpawagi

@mrigankpawagi mrigankpawagi commented Jun 15, 2026

Copy link
Copy Markdown
Owner

Summary

This PR consolidates and supersedes PRs #7 and #11, combining all three improvements to the java/log-injection query into a single PR.

Problem

MRVA on top-100 Java repositories showed 5,958 log injection alerts. Analysis identified three improvement opportunities:

  1. 41% of alerts were at DEBUG/TRACE level — these are disabled in production and not a realistic log injection target
  2. URLEncoder.encode() was not recognized as a sanitizer — URL encoding converts \n to %0A, preventing log injection
  3. 105 alerts were in test files — test code does not process untrusted user input in production

Changes

1. Exclude DEBUG/TRACE level logging from sinks (from PR #7)

Modified DefaultLogInjectionSink in LogInjection.qll to exclude method calls to:

  • debug, trace (SLF4J, Log4j, Commons Logging, JBoss Logging)
  • fine, finer, finest (java.util.logging)

2. Add URLEncoder.encode() as sanitizer (from PR #11)

Added UrlEncoderSanitizer class recognizing java.net.URLEncoder.encode() as a sanitizer since URL encoding replaces line breaks with percent-encoded equivalents.

3. Exclude test files (from PR #11)

Added not isInTestFile(...) to the query using the existing ModelExclusions predicate.

MRVA Validation

  • Before: 5,958 alerts across 42 repos
  • After: ~3,300 alerts (44% reduction)
  • All eliminated alerts are confirmed false positives (debug-level, URL-encoded, or test code)
  • No true positives lost

Why each change is correct

  • DEBUG/TRACE exclusion: Log injection (CWE-117) targets production logs. Debug logging is disabled by default in all major frameworks.
  • URLEncoder sanitizer: URLEncoder.encode(input, "UTF-8") converts \n%0A, \r%0D — no raw newlines survive.
  • Test exclusion: Test code is not deployed to production and does not process real user input.

Supersedes: #7, #11

@github-actions github-actions Bot added documentation Improvements or additions to documentation Java labels Jun 15, 2026
This was referenced Jun 15, 2026
Closed
Closed
@kiro-agent
feat: improve java/log-injection query with URLEncoder sanitizer, tes…
8068355 
…t exclusion, and DEBUG/TRACE level exclusion

- Add java.net.URLEncoder.encode() as a sanitizer since URL encoding
  replaces line breaks with percent-encoded equivalents
- Exclude results in test files to reduce noise from non-production code
- Exclude DEBUG/TRACE level logging methods (debug, trace, fine, finer,
  finest) from sinks since these are typically disabled in production
@mrigankpawagi mrigankpawagi force-pushed the improve-java-log-injection-urlencoder branch from eaab7c3 to 8068355 Compare June 23, 2026 12:03
@github-actions github-actions Bot removed the documentation Improvements or additions to documentation label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrigankpawagi @kiro-agent