Azure · g2vinay · Oct 24, 2020 · Oct 19, 2020 · Oct 19, 2020 · Oct 24, 2020
diff --git a/eng/code-quality-reports/src/main/resources/spotbugs/spotbugs-exclude.xml b/eng/code-quality-reports/src/main/resources/spotbugs/spotbugs-exclude.xml
@@ -2433,4 +2433,23 @@
     <Field name="detectionConfiguration" />
     <Bug pattern="UWF_UNWRITTEN_FIELD" />
   </Match>
+
+  <!-- Disabling false positives in azure-core -->
+  <!-- This Issue has been resolved as per spotbugs's recommended solution but the static checker still flags it, its a known issue with this rule. -->
+  <Match>
+      <Class name="com.azure.core.util.logging.ClientLogger" />
+      <Bug pattern="CRLF_INJECTION_LOGS" />
+  </Match>
+
+  <!-- The predictable randomness doesn't expose any crucial detail in this case. -->
+  <Match>
+      <Class name="com.azure.core.http.policy.ExponentialBackoff" />
+      <Bug pattern="PREDICTABLE_RANDOM" />
+  </Match>
+
+  <!-- In the default log level azure-core will not print the stack trace, but when the user opt-in for the lowest level log (DEBUG) we'll print it, which is expected. -->
+  <Match>
+      <Class name="com.azure.core.implementation.logging.DefaultLogger" />
+      <Bug pattern="INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE" />
+  </Match>
 </FindBugsFilter>
diff --git a/sdk/core/azure-core/pom.xml b/sdk/core/azure-core/pom.xml
@@ -183,6 +183,23 @@
           </rules>
         </configuration>
       </plugin>
+
+      <!-- This plugin scans reports spotbugs in the code -->
+      <plugin>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-maven-plugin</artifactId>
+        <version>3.1.12.2</version> <!-- {x-version-update;com.github.spotbugs:spotbugs-maven-plugin;external_dependency} -->
+        <configuration>
+          <plugins>
+            <plugin>
+              <groupId>com.h3xstream.findsecbugs</groupId>
+              <artifactId>findsecbugs-plugin</artifactId>
+              <version>1.9.0</version> <!-- {x-version-update;com.h3xstream.findsecbugs:findsecbugs-plugin;external_dependency} -->
+            </plugin>
+          </plugins>
+        </configuration>
+      </plugin>
+
     </plugins>
   </build>
 

diff --git a/sdk/core/azure-core/src/main/java/com/azure/core/util/logging/ClientLogger.java b/sdk/core/azure-core/src/main/java/com/azure/core/util/logging/ClientLogger.java
@@ -12,6 +12,7 @@
 
 import java.util.Arrays;
 import java.util.Objects;
+import java.util.regex.Pattern;
 
 /**
  * This is a fluent logger helper class that wraps a pluggable {@link Logger}.
@@ -35,6 +36,7 @@
  * @see Configuration
  */
 public class ClientLogger {
+    private static final Pattern CRLF_PATTERN = Pattern.compile("[\r\n]");
     private final Logger logger;
 
     /**
@@ -70,7 +72,7 @@ public ClientLogger(String className) {
      */
     public void verbose(String message) {
         if (logger.isDebugEnabled()) {
-            logger.debug(message);
+            logger.debug(sanitizeLogMessageInput(message));
         }
     }
 
@@ -106,7 +108,7 @@ public void verbose(String format, Object... args) {
      */
     public void info(String message) {
         if (logger.isInfoEnabled()) {
-            logger.info(message);
+            logger.info(sanitizeLogMessageInput(message));
         }
     }
 
@@ -142,7 +144,7 @@ public void info(String format, Object... args) {
      */
     public void warning(String message) {
         if (logger.isWarnEnabled()) {
-            logger.warn(message);
+            logger.warn(sanitizeLogMessageInput(message));
         }
     }
 
@@ -178,7 +180,7 @@ public void warning(String format, Object... args) {
      */
     public void error(String message) {
         if (logger.isErrorEnabled()) {
-            logger.error(message);
+            logger.error(sanitizeLogMessageInput(message));
         }
     }
 
@@ -327,6 +329,7 @@ private void performLogging(LogLevel logLevel, boolean isExceptionLogging, Strin
             }
         }
 
+        sanitizeLogMessageInput(format);
         switch (logLevel) {
             case VERBOSE:
                 logger.debug(format, args);
@@ -401,4 +404,14 @@ private boolean doesArgsHaveThrowable(Object... args) {
     private Object[] removeThrowable(Object... args) {
         return Arrays.copyOf(args, args.length - 1);
     }
+
+    /**
+     * Removes CRLF pattern in the {@code logMessage}.
+     *
+     * @param logMessage The log message to sanitize.
+     * @return The updated logMessage.
+     */
+    private static String sanitizeLogMessageInput(String logMessage) {
+        return CRLF_PATTERN.matcher(logMessage).replaceAll("");
+    }
 }
diff --git a/sdk/core/azure-core/src/test/java/com/azure/core/util/logging/ClientLoggerTests.java b/sdk/core/azure-core/src/test/java/com/azure/core/util/logging/ClientLoggerTests.java
@@ -80,6 +80,30 @@ public void logSimpleMessage(LogLevel logLevelToConfigure, LogLevel logLevelToUs
         assertEquals(logContainsMessage, logValues.contains(logMessage));
     }
 
+    /**
+     * Test whether a log will be captured when the ClientLogger and message are configured to the passed log levels.
+     */
+    @ParameterizedTest
+    @MethodSource("logMaliciousErrorSupplier")
+    @ResourceLock("SYSTEM_OUT")
+    public void logMaliciousMessage(LogLevel logLevelToConfigure, LogLevel logLevelToUse)
+        throws UnsupportedEncodingException {
+        String logMessage = "You have successfully authenticated, \r\n[INFO] User dummy was not"
+                                + " successfully authenticated.";
+
+        String expectedMessage = "You have successfully authenticated, [INFO] User dummy was not"
+                                     + " successfully authenticated.";
+
+        String originalLogLevel = setupLogLevel(logLevelToConfigure.getLogLevel());
+        logMessage(new ClientLogger(ClientLoggerTests.class), logLevelToUse, logMessage);
+
+        setPropertyToOriginalOrClear(originalLogLevel);
+
+        String logValues = logCaptureStream.toString("UTF-8");
+        System.out.println(logValues);
+        assertEquals(true, logValues.contains(expectedMessage));
+    }
+
     @ParameterizedTest
     @MethodSource("singleLevelCheckSupplier")
     @ResourceLock("SYSTEM_OUT")
@@ -461,6 +485,41 @@ private static Stream<Arguments> multiLevelCheckSupplier() {
         );
     }
 
+    private static Stream<Arguments> logMaliciousErrorSupplier() {
+        return Stream.of(
+            // Supported logging level set to VERBOSE.
+            // Checking VERBOSE.
+            Arguments.of(LogLevel.VERBOSE, LogLevel.VERBOSE, true),
+
+            // Checking INFORMATIONAL.
+            Arguments.of(LogLevel.VERBOSE, LogLevel.INFORMATIONAL, true),
+
+            // Checking WARNING.
+            Arguments.of(LogLevel.VERBOSE, LogLevel.WARNING, true),
+
+            // Checking ERROR.
+            Arguments.of(LogLevel.VERBOSE, LogLevel.ERROR, true),
+
+            // Checking INFORMATIONAL.
+            Arguments.of(LogLevel.INFORMATIONAL, LogLevel.INFORMATIONAL, true),
+
+            // Checking WARNING.
+            Arguments.of(LogLevel.INFORMATIONAL, LogLevel.WARNING, true),
+
+            // Checking ERROR.
+            Arguments.of(LogLevel.INFORMATIONAL, LogLevel.ERROR, true),
+
+            // Checking WARNING.
+            Arguments.of(LogLevel.WARNING, LogLevel.WARNING, true),
+
+            // Checking ERROR.
+            Arguments.of(LogLevel.WARNING, LogLevel.ERROR, true),
+
+            // Checking ERROR.
+            Arguments.of(LogLevel.ERROR, LogLevel.ERROR, true)
+        );
+    }
+
     private static Stream<Arguments> logExceptionAsWarningSupplier() {
         return Stream.of(
             Arguments.of(LogLevel.VERBOSE, true, true),