fix: improve bundle catch for logrb

Bearer · Jan 29, 2024 · 875b3cc · 875b3cc
1 parent b7ee8df
commit 875b3cc
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 4 deletions.
diff --git a/rules/java/lang/crlf_injection.yml b/rules/java/lang/crlf_injection.yml
@@ -11,21 +11,46 @@ patterns:
           - logger
       - variable: METHOD
         detection: java_shared_lang_logger_methods
+      - not:
+          variable: METHOD
+          values:
+            - logrb
       - variable: UNSANITIZED_USER_INPUT
         detection: java_shared_lang_user_input
         scope: result
       - not:
           variable: UNSANITIZED_USER_INPUT
           detection: java_lang_log_sanitized_dynamic_input
           scope: result
+  - pattern: |
+      $<LOG>.logrb($<_>, $<_>, $<UNSANITIZED_USER_INPUT>$<...>)
+    filters:
+      - variable: LOG
+        values:
+          - log
+          - logger
+      - variable: UNSANITIZED_USER_INPUT
+        detection: java_shared_lang_user_input
+        scope: result
       - not:
           variable: UNSANITIZED_USER_INPUT
-          detection: java_lang_log_dynamic_bundle_input
+          detection: java_lang_log_sanitized_dynamic_input
+          scope: result
+  - pattern: |
+      $<LOG>.logrb($<_>, $<_>, $<_>, $<_>, $<UNSANITIZED_USER_INPUT>$<...>)
+    filters:
+      - variable: LOG
+        values:
+          - log
+          - logger
+      - variable: UNSANITIZED_USER_INPUT
+        detection: java_shared_lang_user_input
+        scope: result
+      - not:
+          variable: UNSANITIZED_USER_INPUT
+          detection: java_lang_log_sanitized_dynamic_input
           scope: result
 auxiliary:
-  - id: java_lang_log_dynamic_bundle_input
-    patterns:
-      - pattern: $<_> + "bundle"
   - id: java_lang_log_sanitized_dynamic_input
     patterns:
       - pattern: $<_>.$<METHOD>($<SOURCE>, $<_>);

diff --git a/tests/java/lang/crlf_injection/testdata/main.java b/tests/java/lang/crlf_injection/testdata/main.java
@@ -20,6 +20,15 @@ public void javaUtilLogging(HttpServletRequest req, HttpServletResponse res) {
     // bearer:expected java_lang_crlf_injection
     logger.info(dangerous.replaceAll("\r", ""));
 
+    // logrb cases
+    // - logrb(Level level, ResourceBundle bundle, String msg, Object... params)
+    // - logrb(Level level, String sourceClass, String sourceMethod, ResourceBundle bundle, String msg, Object... params)
+
+    // bearer:expected java_lang_crlf_injection
+    logger.logrb(Level.INFO, safe, dangerous, safe, safe);
+    // bearer:expected java_lang_crlf_injection
+    logger.logrb(Level.INFO, safe, safe, ResourceBundle.getBundle("package.ExampleResource", locale), dangerous, safe);
+
     // okay
     logger.config("hello world" + okay);
     logger.info(dangerous.replace('\r', ' ').replace('\n', ' '));