add new method.

Author: righettod

pom.xml

@@ -79,6 +79,11 @@
             <artifactId>iban4j</artifactId>
             <version>3.2.11-RELEASE</version>
         </dependency>
+        <dependency>
+            <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+            <artifactId>owasp-java-html-sanitizer</artifactId>
+            <version>20240325.1</version>
+        </dependency>
         <!-- TEST ONLY PURPOSE -->
         <dependency>
             <groupId>org.junit.jupiter</groupId>

src/main/java/eu/righettod/SecurityUtils.java

@@ -32,6 +32,8 @@
 import org.apache.tika.mime.MediaType;
 import org.apache.tika.mime.MimeTypes;
 import org.iban4j.IbanUtil;
+import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.PolicyFactory;
 import org.w3c.dom.Document;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
@@ -1560,6 +1562,7 @@ public static Map<SensitiveInformationType, Set<String>> extractAllSensitiveInfo
      */
     public static boolean isGZIPCompressedDataSafe(byte[] compressedBytes, long maxCountOfDecompressedBytesAllowed) {
         boolean isSafe = false;
+
         try {
             long limit = maxCountOfDecompressedBytesAllowed;
             long totalRead = 0L;
@@ -1580,6 +1583,52 @@ public static boolean isGZIPCompressedDataSafe(byte[] compressedBytes, long maxC
         } catch (Exception e) {
             isSafe = false;
         }
+        
         return isSafe;
     }
+
+    /**
+     * Process a string, intended to be written in a log, to remove as much as possible information that can lead to an exposure to a log injection vulnerability.<br><br>
+     * <b>Log injection</b> is also called <b>log forging</b>.<br><br>
+     * The following information are removed:
+     * <ul>
+     *     <li>Characters: Carriage Return (CR), Linefeed (LF) and Tabulation (TAB).</li>
+     *     <li>Leading and trailing spaces.</li>
+     *     <li>Any HTML tags.</li>
+     * </ul><br><br>
+     * A parameter is also used to limit the maximum length of the sanitized message.
+     * To remove any HTML tags, the OWASP project <a href="https://owasp.org/www-project-java-html-sanitizer/">Java HTML Sanitizer</a> is leveraged.<br>
+     * I delegated such removal to a dedicated library to prevent missing of edge cases as well as potential bypasses.
+     *
+     * @param message          The original string message intended to be written in a log.
+     * @param maxMessageLength The maximum number of characters after which the sanitized message must be truncated. If inferior to 1 then default to the value of 500.
+     * @return The string message cleaned.
+     * @see "https://www.wallarm.com/what/log-forging-attack"
+     * @see "https://www.invicti.com/learn/crlf-injection"
+     * @see "https://capec.mitre.org/data/definitions/93.html"
+     * @see "https://codeql.github.com/codeql-query-help/javascript/js-log-injection/"
+     * @see "https://owasp.org/www-project-java-html-sanitizer/"
+     * @see "https://github.com/OWASP/java-html-sanitizer"
+     */
+    public static String sanitizeLogMessage(String message, int maxMessageLength) {
+        String sanitized = message;
+        int maxSanitizedMessageLength = maxMessageLength;
+
+        if (sanitized != null && !sanitized.isBlank()) {
+            if (maxSanitizedMessageLength < 1) {
+                maxSanitizedMessageLength = 500;
+            }
+            //Step 1: Remove any CR/LR/TAB characters as well as leading and trailing spaces
+            sanitized = sanitized.replaceAll("[\\n\\r\\t]", "").trim();
+            //Step 2: Remove any HTML tags
+            PolicyFactory htmlSanitizerPolicy = new HtmlPolicyBuilder().toFactory();
+            sanitized = htmlSanitizerPolicy.sanitize(sanitized);
+            //Step 3: Truncate the string in case of need
+            if (sanitized.length() > maxSanitizedMessageLength) {
+                sanitized = sanitized.substring(0, maxSanitizedMessageLength);
+            }
+        }
+
+        return sanitized;
+    }
 }

src/test/java/eu/righettod/TestSecurityUtils.java

@@ -785,5 +785,26 @@ public void isGZIPCompressedDataSafe() throws Exception {
         isSafe = SecurityUtils.isGZIPCompressedDataSafe(testData, limit);
         assertTrue(isSafe, String.format(falsePositiveMsgTemplate, testData.length, limit));
     }
+
+    @Test
+    public void sanitizeLogMessage() {
+        //Case format is the following
+        //[0]: The maximum number of characters after which the sanitized message must be truncated
+        //[1]: The original string message intended to be written in a log
+        //[2]: The expected sanitized message
+        final List<String[]> cases = new ArrayList<>();
+        cases.add(new String[]{"1000", "<b>test msg</b><script>alert(1)</script>", "test msg"});
+        cases.add(new String[]{"1000", "test<xss>msg</xss>\n1\r2\t3\t4\n5\r6\t7", "testmsg1234567"});
+        cases.add(new String[]{"1000", "     test<xss>msg</xss>\n1\r2\t3\t4\n5\r6\t7\t\r\n     ", "testmsg1234567"});
+        cases.add(new String[]{"0", "<b>test msg</b><script>alert(1)</script>", "test msg"});
+        cases.add(new String[]{"10", "AAAAAAAAAACCC<script src='https://evil.com/a.js'></script>BBBBBBBBBB", "AAAAAAAAAA"});
+        cases.forEach(caseData -> {
+            int maxMessageLength = Integer.parseInt(caseData[0].trim());
+            String originalMessage = caseData[1];
+            String expectedSanitizedMessage = caseData[2];
+            String sanitizedMessage = SecurityUtils.sanitizeLogMessage(originalMessage, maxMessageLength);
+            assertEquals(expectedSanitizedMessage, sanitizedMessage);
+        });
+    }
 }