github-advanced-security[bot] commented on code in PR #3136:
URL: https://github.com/apache/cxf/pull/3136#discussion_r3287833974
##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java:
##########
@@ -254,17 +254,18 @@
return null;
}
Client client = null;
+ String sanitizedClientId =
AuthorizationUtils.stripControlCharacters(clientId);
try {
client = getValidClient(clientId, clientSecret, params);
} catch (OAuthServiceException ex) {
- LOG.warning("No valid client found for clientId: " + clientId);
+ LOG.warning("No valid client found for clientId: " +
sanitizedClientId);
if (ex.getError() != null) {
reportInvalidClient(ex.getError());
return null;
}
}
if (client == null) {
- LOG.warning("No valid client found for clientId: " + clientId);
+ LOG.warning("No valid client found for clientId: " +
sanitizedClientId);
Review Comment:
## CodeQL / Insertion of sensitive information into log files
This [potentially sensitive information](1) is written to a log file.
[Show more
details](https://github.com/apache/cxf/security/code-scanning/2238)
##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java:
##########
@@ -254,17 +254,18 @@
return null;
}
Client client = null;
+ String sanitizedClientId =
AuthorizationUtils.stripControlCharacters(clientId);
try {
client = getValidClient(clientId, clientSecret, params);
} catch (OAuthServiceException ex) {
- LOG.warning("No valid client found for clientId: " + clientId);
+ LOG.warning("No valid client found for clientId: " +
sanitizedClientId);
Review Comment:
## CodeQL / Insertion of sensitive information into log files
This [potentially sensitive information](1) is written to a log file.
[Show more
details](https://github.com/apache/cxf/security/code-scanning/2237)
##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java:
##########
@@ -254,17 +254,18 @@
return null;
}
Client client = null;
+ String sanitizedClientId =
AuthorizationUtils.stripControlCharacters(clientId);
try {
client = getValidClient(clientId, clientSecret, params);
} catch (OAuthServiceException ex) {
- LOG.warning("No valid client found for clientId: " + clientId);
+ LOG.warning("No valid client found for clientId: " +
sanitizedClientId);
Review Comment:
## CodeQL / Log Injection
This log entry depends on a [user-provided value](1).
This log entry depends on a [user-provided value](2).
This log entry depends on a [user-provided value](3).
[Show more
details](https://github.com/apache/cxf/security/code-scanning/2239)
##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java:
##########
@@ -254,17 +254,18 @@
return null;
}
Client client = null;
+ String sanitizedClientId =
AuthorizationUtils.stripControlCharacters(clientId);
try {
client = getValidClient(clientId, clientSecret, params);
} catch (OAuthServiceException ex) {
- LOG.warning("No valid client found for clientId: " + clientId);
+ LOG.warning("No valid client found for clientId: " +
sanitizedClientId);
if (ex.getError() != null) {
reportInvalidClient(ex.getError());
return null;
}
}
if (client == null) {
- LOG.warning("No valid client found for clientId: " + clientId);
+ LOG.warning("No valid client found for clientId: " +
sanitizedClientId);
Review Comment:
## CodeQL / Log Injection
This log entry depends on a [user-provided value](1).
This log entry depends on a [user-provided value](2).
This log entry depends on a [user-provided value](3).
[Show more
details](https://github.com/apache/cxf/security/code-scanning/2240)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
