-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: editing logs configuration [PAGOPA-2221] #130
base: main
Are you sure you want to change the base?
Conversation
The default action is to increase the PATCH number of SEMVER. Set IGNORE-FOR-RELEASE if you want to skip SEMVER bump. BREAKING-CHANGE and NEW-RELEASE must be run from GH Actions section manually. |
The default action is to increase the |
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
# Conflicts: # src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptController.java # src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java # src/main/java/it/gov/pagopa/wispconverter/scheduler/RecoveryScheduler.java # src/main/java/it/gov/pagopa/wispconverter/service/RPTTimerService.java # src/main/java/it/gov/pagopa/wispconverter/servicebus/ECommerceHangTimeoutConsumer.java # src/main/java/it/gov/pagopa/wispconverter/servicebus/PaymentTimeoutConsumer.java # src/main/java/it/gov/pagopa/wispconverter/servicebus/RPTTimeoutConsumer.java # src/main/java/it/gov/pagopa/wispconverter/servicebus/RTConsumer.java
src/main/java/it/gov/pagopa/wispconverter/controller/RPTTimerController.java
Fixed
Show fixed
Hide fixed
log.debug("Invoking API operation recoverReceiptKOForCreditorInstitution - args: {} {} {}", | ||
sanitizeInput(ci), dateFrom, dateTo); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
This log entry depends on a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the dateFrom
and dateTo
parameters before logging them. This can be done by removing any potentially harmful characters, such as new-line characters, which can be used to manipulate log entries. We will use a simple sanitization method that replaces new-line characters with an empty string.
- Create a sanitization method to clean the
dateFrom
anddateTo
parameters. - Apply this sanitization method to
dateFrom
anddateTo
before logging them.
-
Copy modified line R49
@@ -48,3 +48,3 @@ | ||
log.debug("Invoking API operationrecoverReceiptKOForCreditorInstitution - args: {} {} {}", | ||
sanitizeInput(ci), dateFrom, dateTo); | ||
sanitizeInput(ci), sanitizeInput(dateFrom), sanitizeInput(dateTo)); | ||
RecoveryReceiptResponse response = recoveryService.recoverReceiptKOByCI(ci, dateFrom, dateTo); |
log.debug("Invoking API operation recoverReceiptKOForCreditorInstitution - args: {} {} {} {}", | ||
sanitizeInput(ci), sanitizeInput(iuv), dateFrom, dateTo); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
This log entry depends on a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the dateFrom
parameter before it is logged. This can be done by using the existing sanitizeInput
method, which is already used for other parameters in the same method. This ensures that any potentially harmful characters are removed or escaped, preventing log injection.
- General Fix: Sanitize user input before logging it.
- Detailed Fix: Apply the
sanitizeInput
method to thedateFrom
parameter in therecoverReceiptKOForCreditorInstitutionAndIUV
method. - Specific Changes: Modify line 77 to use
sanitizeInput(dateFrom)
instead ofdateFrom
. - Requirements: No new methods or imports are needed as the
sanitizeInput
method is already available.
-
Copy modified line R77
@@ -76,3 +76,3 @@ | ||
log.debug("Invoking API operationrecoverReceiptKOForCreditorInstitution - args: {} {} {} {}", | ||
sanitizeInput(ci), sanitizeInput(iuv), dateFrom, dateTo); | ||
sanitizeInput(ci), sanitizeInput(iuv), sanitizeInput(dateFrom), dateTo); | ||
|
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
|
||
// build the service bus message | ||
ServiceBusMessage serviceBusMessage = new ServiceBusMessage(message.toString()); | ||
log.debug("Sending scheduled message {} to the queue: {}", message.toString(), queueName); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by removing or encoding any potentially harmful characters from the message
object before it is logged. Specifically, we can replace newline characters and other special characters that could be used for log injection.
-
General Fix Approach:
- Sanitize the
message
object before logging it. - Use a utility method to remove or encode potentially harmful characters.
- Sanitize the
-
Detailed Fix:
- Create a utility method to sanitize the
message
object. - Use this utility method to sanitize the
message
before logging it in thesendMessage
method ofRPTTimerService
.
- Create a utility method to sanitize the
-
Specific Changes:
- Add a utility method
sanitizeForLogging
in theCommonUtility
class. - Use this method to sanitize the
message
object before logging it in thesendMessage
method.
- Add a utility method
-
Copy modified lines R93-R95 -
Copy modified line R102
@@ -92,4 +92,5 @@ | ||
// build the service bus message | ||
ServiceBusMessage serviceBusMessage = new ServiceBusMessage(message.toString()); | ||
log.debug("Sending scheduled message {} to the queue: {}", message.toString(), queueName); | ||
String sanitizedMessage = sanitizeInput(message.toString()); | ||
ServiceBusMessage serviceBusMessage = new ServiceBusMessage(sanitizedMessage); | ||
log.debug("Sending scheduled message {} to the queue: {}", sanitizedMessage, queueName); | ||
|
||
@@ -100,3 +101,3 @@ | ||
// log event | ||
log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(message.toString()), queueName); | ||
log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(sanitizedMessage), queueName); | ||
generateRE(InternalStepStatus.RPT_TIMER_CREATED, "Scheduled RPTTimerService: [" + message + "]"); |
Long sequenceNumber = serviceBusSenderClient.scheduleMessage(serviceBusMessage, scheduledExpirationTime); | ||
|
||
// log event | ||
log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(message.toString()), queueName); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by removing or escaping any potentially harmful characters from the input. Specifically, we should replace newline characters and other control characters that could be used to manipulate log entries.
- General Fix: Sanitize the user input to remove or escape harmful characters before logging.
- Detailed Fix: Use a utility method to sanitize the
message.toString()
output before passing it to theLogUtils.encodeToBase64
method and logging it. - Specific Changes:
- Add a utility method to sanitize the input string.
- Use this utility method to sanitize the
message.toString()
output before logging.
-
Copy modified lines R28-R29 -
Copy modified lines R103-R104 -
Copy modified lines R111-R119
@@ -27,2 +27,4 @@ | ||
import static it.gov.pagopa.wispconverter.util.CommonUtility.sanitizeInput; | ||
import java.util.regex.Pattern; | ||
import java.util.regex.Matcher; | ||
import static it.gov.pagopa.wispconverter.util.MDCUtil.setRPTTimerInfoInMDC; | ||
@@ -100,3 +102,4 @@ | ||
// log event | ||
log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(message.toString()), queueName); | ||
String sanitizedMessage = sanitizeInput(message.toString()); | ||
log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(sanitizedMessage), queueName); | ||
generateRE(InternalStepStatus.RPT_TIMER_CREATED, "Scheduled RPTTimerService: [" + message + "]"); | ||
@@ -107,2 +110,11 @@ | ||
|
||
private String sanitizeInput(String input) { | ||
if (input == null) { | ||
return null; | ||
} | ||
// Remove any control characters and newlines | ||
Pattern pattern = Pattern.compile("[\\p{Cntrl}\\n\\r]"); | ||
Matcher matcher = pattern.matcher(input); | ||
return matcher.replaceAll(""); | ||
} | ||
|
This PR exceeds the recommended size of 400 lines. Please make sure you are NOT addressing multiple issues with one PR. Note this PR might be rejected due to its size. |
Quality Gate failedFailed conditions |
src/main/java/it/gov/pagopa/wispconverter/controller/RPTTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
…/pagopa-wisp-converter into PAGOPA-2221 # Please enter a commit message to explain why this merge is necessary, # especially if it merges an updated upstream into a topic branch. # # Lines starting with '#' will be ignored, and an empty message aborts # the commit.
…/pagopa-wisp-converter into PAGOPA-2221 # Please enter a commit message to explain why this merge is necessary, # especially if it merges an updated upstream into a topic branch. # # Lines starting with '#' will be ignored, and an empty message aborts # the commit.
@@ -51,9 +51,9 @@ | |||
@Trace(businessProcess = RPT_BP_TIMER_SET, reEnabled = true) | |||
public void createTimer(@RequestBody RPTTimerRequest request) { | |||
try { | |||
log.info("Invoking API operation createRPTTimer - args: {}", sanitizeInput(request.toString())); | |||
log.debug("Invoking API operationcreateRPTTimer - args: {}", request.toString()); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by ensuring that the toString()
method of the request
object does not contain any characters that could be used for log injection, such as newlines or special characters. We can achieve this by using a utility method to sanitize the output of toString()
before logging it.
- Create a utility method to sanitize the string by removing or escaping potentially harmful characters.
- Use this utility method to sanitize the output of
request.toString()
before logging it.
-
Copy modified line R54
@@ -53,3 +53,3 @@ | ||
try { | ||
log.debug("Invoking API operationcreateRPTTimer - args: {}", request.toString()); | ||
log.debug("Invoking API operationcreateRPTTimer - args: {}", sanitizeInput(request.toString())); | ||
rptTimerService.sendMessage(request); |
@@ -102,9 +106,9 @@ | |||
public void receiptKo(@RequestBody String request) throws Exception { | |||
|
|||
try { | |||
log.info("Invoking API operation receiptKo - args: {}", request); | |||
log.debug("Invoking API operationreceiptKo - args: {}", request); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user-provided input before logging it. This can be done by removing or escaping any potentially harmful characters such as newlines. We can use a utility method to sanitize the input string.
- General Fix: Sanitize the user input to remove or escape harmful characters before logging.
- Detailed Fix: Implement a utility method to sanitize the input by replacing newline characters with a space or another harmless character. Use this method to sanitize the
request
parameter before logging it. - Specific Changes: Modify the
receiptKo
method insrc/main/java/it/gov/pagopa/wispconverter/controller/ReceiptController.java
to sanitize therequest
parameter before logging.
-
Copy modified lines R109-R110
@@ -108,3 +108,4 @@ | ||
try { | ||
log.debug("Invoking API operationreceiptKo - args: {}", request); | ||
String sanitizedRequest = sanitizeInput(request); | ||
log.debug("Invoking API operationreceiptKo - args: {}", sanitizedRequest); | ||
receiptService.sendKoPaaInviaRtToCreditorInstitution(List.of(mapper.readValue(request, ReceiptDto.class)).toString()); |
@@ -52,9 +54,9 @@ | |||
@Trace(businessProcess = BP_TIMER_SET, reEnabled = true) | |||
public void createTimer(@RequestBody ReceiptTimerRequest request) { | |||
try { | |||
log.info("Invoking API operation createTimer - args: {}", request.toString()); | |||
log.debug("Invoking API operationcreateTimer - args: {}", request.toString()); |
Check failure
Code scanning / CodeQL
Insertion of sensitive information into log files High
potentially sensitive information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the problem, we need to avoid logging sensitive information directly. Instead of logging the entire request
object, we should log only non-sensitive information or a sanitized version of the request. We can create a custom method to generate a sanitized string representation of the ReceiptTimerRequest
object, excluding sensitive fields.
-
Copy modified line R57 -
Copy modified lines R96-R103
@@ -56,3 +56,3 @@ | ||
try { | ||
log.debug("Invoking API operationcreateTimer - args: {}", request.toString()); | ||
log.debug("Invoking API operation createTimer - args: {}", sanitizeRequest(request)); | ||
receiptTimerService.sendMessage(request); | ||
@@ -95,2 +95,10 @@ | ||
} | ||
|
||
private String sanitizeRequest(ReceiptTimerRequest request) { | ||
return String.format("ReceiptTimerRequest(sessionId=%s, fiscalCode=%s, noticeNumber=%s, expirationTime=%d)", | ||
request.getSessionId(), | ||
request.getFiscalCode(), | ||
request.getNoticeNumber(), | ||
request.getExpirationTime()); | ||
} | ||
} |
@@ -52,9 +54,9 @@ | |||
@Trace(businessProcess = BP_TIMER_SET, reEnabled = true) | |||
public void createTimer(@RequestBody ReceiptTimerRequest request) { | |||
try { | |||
log.info("Invoking API operation createTimer - args: {}", request.toString()); | |||
log.debug("Invoking API operationcreateTimer - args: {}", request.toString()); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to ensure that any user-provided data included in log entries is properly sanitized. This can be achieved by sanitizing the output of the toString()
method before logging it. We will use the existing sanitizeInput
method to clean the data.
- Modify the log statement on line 57 to sanitize the output of
request.toString()
. - Ensure that the
sanitizeInput
method is used to clean the data before it is logged.
-
Copy modified line R57
@@ -56,3 +56,3 @@ | ||
try { | ||
log.debug("Invoking API operationcreateTimer - args: {}", request.toString()); | ||
log.debug("Invoking API operation createTimer - args: {}", sanitizeInput(request.toString())); | ||
receiptTimerService.sendMessage(request); |
@@ -77,10 +79,10 @@ | |||
@Trace(businessProcess = BP_TIMER_DELETE, reEnabled = true) | |||
public void deleteTimer(@RequestParam() String paymentTokens) { | |||
try { | |||
log.info("Invoking API operation deleteTimer - args: {}", paymentTokens); | |||
log.debug("Invoking API operationdeleteTimer - args: {}", sanitizeInput(paymentTokens)); |
Check failure
Code scanning / CodeQL
Insertion of sensitive information into log files High
potentially sensitive information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the problem, we should avoid logging the paymentTokens
directly. Instead, we can log a generic message indicating that the operation was invoked without including the sensitive data. This approach ensures that no sensitive information is written to the log files while still providing useful debug information.
- Remove the logging of
paymentTokens
in thedeleteTimer
method. - Log a generic message indicating the invocation of the operation.
-
Copy modified line R82
@@ -81,3 +81,3 @@ | ||
try { | ||
log.debug("Invoking API operationdeleteTimer - args: {}", sanitizeInput(paymentTokens)); | ||
log.debug("Invoking API operation deleteTimer"); | ||
List<String> tokens = Arrays.asList(paymentTokens.split(",")); |
@@ -100,7 +102,7 @@ | |||
@PostMapping(value = "/receipts") | |||
public ResponseEntity<RecoveryReceiptReportResponse> recoverReceiptToBeReSent(@RequestBody RecoveryReceiptRequest request) { | |||
try { | |||
log.info("Invoking API operation recoverReceiptToBeReSent - args: {}", sanitizeInput(request.toString())); | |||
log.debug("Invoking API operationrecoverReceiptToBeReSent - args: {}", request.toString()); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by replacing potentially harmful characters with safe alternatives. Specifically, we should remove or replace newline characters and other special characters that could be used to manipulate log entries.
The best way to fix this problem without changing existing functionality is to create a utility method that sanitizes the input and use this method before logging the request
object. This ensures that any potentially harmful characters are removed or replaced.
-
Copy modified lines R29-R35 -
Copy modified line R112 -
Copy modified line R131
@@ -28,2 +28,9 @@ | ||
|
||
private String sanitizeInput(String input) { | ||
if (input == null) { | ||
return null; | ||
} | ||
return input.replaceAll("[\\r\\n]", "_"); | ||
} | ||
|
||
@RestController | ||
@@ -104,3 +111,3 @@ | ||
try { | ||
log.debug("Invoking API operationrecoverReceiptToBeReSent - args: {}", request.toString()); | ||
log.debug("Invoking API operationrecoverReceiptToBeReSent - args: {}", sanitizeInput(request.toString())); | ||
return ResponseEntity.ok(recoveryService.recoverReceiptToBeReSent(request)); | ||
@@ -123,3 +130,3 @@ | ||
try { | ||
log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", request.toString()); | ||
log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", sanitizeInput(request.toString())); | ||
return ResponseEntity.ok(recoveryService.recoverReceiptToBeReSentByPartition(request)); |
@Operation(summary = "Execute reconciliation for passed receipts by partition.", description = "Execute reconciliation of all receipts contained in the partitions of the request", security = {@SecurityRequirement(name = "ApiKey")}, tags = {"Recovery"}) | ||
@ApiResponses(value = { | ||
@ApiResponse(responseCode = "200", description = "Reconciliation scheduled") | ||
}) | ||
@PostMapping(value = "/partitions") | ||
public ResponseEntity<RecoveryReceiptReportResponse> recoverReceiptToBeReSentByPartition(@RequestBody RecoveryReceiptByPartitionRequest request) { | ||
try { | ||
log.info("Invoking API operation recoverReceiptToBeReSentByPartition - args: {}", sanitizeInput(request.toString())); | ||
log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", request.toString()); |
Check failure
Code scanning / CodeQL
Log Injection High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by replacing potentially dangerous characters in the user input with safe alternatives. Specifically, we should remove or replace newline characters and other special characters that could be used to manipulate log entries.
The best way to fix this problem without changing existing functionality is to sanitize the request
object before logging it. We can create a utility method to sanitize the input and use this method in the log statement.
-
Copy modified line R124
@@ -123,3 +123,3 @@ | ||
try { | ||
log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", request.toString()); | ||
log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", sanitizeInput(request.toString())); | ||
return ResponseEntity.ok(recoveryService.recoverReceiptToBeReSentByPartition(request)); |
…/pagopa-wisp-converter into PAGOPA-2221 # Please enter a commit message to explain why this merge is necessary, # especially if it merges an updated upstream into a topic branch. # # Lines starting with '#' will be ignored, and an empty message aborts # the commit.
List of Changes
Motivation and Context
Needed in order to refactor logs and reduce costs
How Has This Been Tested?
Manually
Screenshots (if appropriate):
Types of changes
Checklist: