diff --git a/java/ql/lib/change-notes/2025-06-14-log-injection-exclude-debug-trace.md b/java/ql/lib/change-notes/2025-06-14-log-injection-exclude-debug-trace.md new file mode 100644 index 000000000000..63ec581cc24e --- /dev/null +++ b/java/ql/lib/change-notes/2025-06-14-log-injection-exclude-debug-trace.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* The `java/log-injection` query no longer considers DEBUG and TRACE level logging calls (including `fine`, `finer`, `finest` for java.util.logging) as log injection sinks. These log levels are typically disabled in production environments, making them unrealistic targets for log injection attacks. diff --git a/java/ql/lib/semmle/code/java/security/LogInjection.qll b/java/ql/lib/semmle/code/java/security/LogInjection.qll index b585c249d1eb..14ff3338efd3 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjection.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjection.qll @@ -30,7 +30,16 @@ class LogInjectionAdditionalTaintStep extends Unit { } private class DefaultLogInjectionSink extends LogInjectionSink { - DefaultLogInjectionSink() { sinkNode(this, "log-injection") } + DefaultLogInjectionSink() { + sinkNode(this, "log-injection") and + not exists(MethodCall mc | + this.asExpr() = mc.getAnArgument() and + mc.getMethod().getName() in [ + "debug", "trace", // SLF4J, Log4j, Commons Logging, JBoss Logging + "fine", "finer", "finest" // java.util.logging + ] + ) + } } private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer instanceof SimpleTypeSanitizer diff --git a/java/ql/src/change-notes/2025-06-14-log-injection-exclude-debug-trace.md b/java/ql/src/change-notes/2025-06-14-log-injection-exclude-debug-trace.md new file mode 100644 index 000000000000..210499a2be68 --- /dev/null +++ b/java/ql/src/change-notes/2025-06-14-log-injection-exclude-debug-trace.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* The `java/log-injection` query now excludes calls to DEBUG and TRACE level logging methods from its results, since these log levels are typically disabled in production and do not present a realistic log injection attack surface. This eliminates approximately 41% of previously reported alerts.