chore: editing logs configuration [PAGOPA-2221] #130
Conversation
|
The default action is to increase the PATCH number of SEMVER. Set IGNORE-FOR-RELEASE if you want to skip SEMVER bump. BREAKING-CHANGE and NEW-RELEASE must be run from GH Actions section manually. |
|
The default action is to increase the |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
FedericoRuzzier
changed the title
# Conflicts: # src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptController.java # src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java # src/main/java/it/gov/pagopa/wispconverter/scheduler/RecoveryScheduler.java # src/main/java/it/gov/pagopa/wispconverter/service/RPTTimerService.java # src/main/java/it/gov/pagopa/wispconverter/servicebus/ECommerceHangTimeoutConsumer.java # src/main/java/it/gov/pagopa/wispconverter/servicebus/PaymentTimeoutConsumer.java # src/main/java/it/gov/pagopa/wispconverter/servicebus/RPTTimeoutConsumer.java # src/main/java/it/gov/pagopa/wispconverter/servicebus/RTConsumer.java
src/main/java/it/gov/pagopa/wispconverter/controller/RPTTimerController.java
Fixed
Show fixed
Hide fixed
| log.debug("Invoking API operation recoverReceiptKOForCreditorInstitution - args: {} {} {}", | ||
| sanitizeInput(ci), dateFrom, dateTo); |
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the dateFrom and dateTo parameters before logging them. This can be done by removing any potentially harmful characters, such as new-line characters, which can be used to manipulate log entries. We will use a simple sanitization method that replaces new-line characters with an empty string.
- Create a sanitization method to clean the
dateFromanddateToparameters. - Apply this sanitization method to
dateFromanddateTobefore logging them.
| @@ -48,3 +48,3 @@ | ||
| log.debug("Invoking API operationrecoverReceiptKOForCreditorInstitution - args: {} {} {}", | ||
| sanitizeInput(ci), dateFrom, dateTo); | ||
| sanitizeInput(ci), sanitizeInput(dateFrom), sanitizeInput(dateTo)); | ||
| RecoveryReceiptResponse response = recoveryService.recoverReceiptKOByCI(ci, dateFrom, dateTo); |
| log.debug("Invoking API operation recoverReceiptKOForCreditorInstitution - args: {} {} {} {}", | ||
| sanitizeInput(ci), sanitizeInput(iuv), dateFrom, dateTo); |
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the dateFrom parameter before it is logged. This can be done by using the existing sanitizeInput method, which is already used for other parameters in the same method. This ensures that any potentially harmful characters are removed or escaped, preventing log injection.
- General Fix: Sanitize user input before logging it.
- Detailed Fix: Apply the
sanitizeInputmethod to thedateFromparameter in therecoverReceiptKOForCreditorInstitutionAndIUVmethod. - Specific Changes: Modify line 77 to use
sanitizeInput(dateFrom)instead ofdateFrom. - Requirements: No new methods or imports are needed as the
sanitizeInputmethod is already available.
| @@ -76,3 +76,3 @@ | ||
| log.debug("Invoking API operationrecoverReceiptKOForCreditorInstitution - args: {} {} {} {}", | ||
| sanitizeInput(ci), sanitizeInput(iuv), dateFrom, dateTo); | ||
| sanitizeInput(ci), sanitizeInput(iuv), sanitizeInput(dateFrom), dateTo); | ||
|
|
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
|
|
||
| // build the service bus message | ||
| ServiceBusMessage serviceBusMessage = new ServiceBusMessage(message.toString()); | ||
| log.debug("Sending scheduled message {} to the queue: {}", message.toString(), queueName); |
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by removing or encoding any potentially harmful characters from the message object before it is logged. Specifically, we can replace newline characters and other special characters that could be used for log injection.
-
General Fix Approach:
- Sanitize the
messageobject before logging it. - Use a utility method to remove or encode potentially harmful characters.
- Sanitize the
-
Detailed Fix:
- Create a utility method to sanitize the
messageobject. - Use this utility method to sanitize the
messagebefore logging it in thesendMessagemethod ofRPTTimerService.
- Create a utility method to sanitize the
-
Specific Changes:
- Add a utility method
sanitizeForLoggingin theCommonUtilityclass. - Use this method to sanitize the
messageobject before logging it in thesendMessagemethod.
- Add a utility method
| @@ -92,4 +92,5 @@ | ||
| // build the service bus message | ||
| ServiceBusMessage serviceBusMessage = new ServiceBusMessage(message.toString()); | ||
| log.debug("Sending scheduled message {} to the queue: {}", message.toString(), queueName); | ||
| String sanitizedMessage = sanitizeInput(message.toString()); | ||
| ServiceBusMessage serviceBusMessage = new ServiceBusMessage(sanitizedMessage); | ||
| log.debug("Sending scheduled message {} to the queue: {}", sanitizedMessage, queueName); | ||
|
|
||
| @@ -100,3 +101,3 @@ | ||
| // log event | ||
| log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(message.toString()), queueName); | ||
| log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(sanitizedMessage), queueName); | ||
| generateRE(InternalStepStatus.RPT_TIMER_CREATED, "Scheduled RPTTimerService: [" + message + "]"); |
| Long sequenceNumber = serviceBusSenderClient.scheduleMessage(serviceBusMessage, scheduledExpirationTime); | ||
|
|
||
| // log event | ||
| log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(message.toString()), queueName); |
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by removing or escaping any potentially harmful characters from the input. Specifically, we should replace newline characters and other control characters that could be used to manipulate log entries.
- General Fix: Sanitize the user input to remove or escape harmful characters before logging.
- Detailed Fix: Use a utility method to sanitize the
message.toString()output before passing it to theLogUtils.encodeToBase64method and logging it. - Specific Changes:
- Add a utility method to sanitize the input string.
- Use this utility method to sanitize the
message.toString()output before logging.
| @@ -27,2 +27,4 @@ | ||
| import static it.gov.pagopa.wispconverter.util.CommonUtility.sanitizeInput; | ||
| import java.util.regex.Pattern; | ||
| import java.util.regex.Matcher; | ||
| import static it.gov.pagopa.wispconverter.util.MDCUtil.setRPTTimerInfoInMDC; | ||
| @@ -100,3 +102,4 @@ | ||
| // log event | ||
| log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(message.toString()), queueName); | ||
| String sanitizedMessage = sanitizeInput(message.toString()); | ||
| log.debug("Sent scheduled message_base64 {} to the queue: {}", LogUtils.encodeToBase64(sanitizedMessage), queueName); | ||
| generateRE(InternalStepStatus.RPT_TIMER_CREATED, "Scheduled RPTTimerService: [" + message + "]"); | ||
| @@ -107,2 +110,11 @@ | ||
|
|
||
| private String sanitizeInput(String input) { | ||
| if (input == null) { | ||
| return null; | ||
| } | ||
| // Remove any control characters and newlines | ||
| Pattern pattern = Pattern.compile("[\\p{Cntrl}\\n\\r]"); | ||
| Matcher matcher = pattern.matcher(input); | ||
| return matcher.replaceAll(""); | ||
| } | ||
|
|
jacopocarlini
changed the title
|
This PR exceeds the recommended size of 400 lines. Please make sure you are NOT addressing multiple issues with one PR. Note this PR might be rejected due to its size. |
|
src/main/java/it/gov/pagopa/wispconverter/controller/RPTTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/ReceiptTimerController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
src/main/java/it/gov/pagopa/wispconverter/controller/RecoveryController.java
Fixed
Show fixed
Hide fixed
…/pagopa-wisp-converter into PAGOPA-2221 # Please enter a commit message to explain why this merge is necessary, # especially if it merges an updated upstream into a topic branch. # # Lines starting with '#' will be ignored, and an empty message aborts # the commit.
…/pagopa-wisp-converter into PAGOPA-2221 # Please enter a commit message to explain why this merge is necessary, # especially if it merges an updated upstream into a topic branch. # # Lines starting with '#' will be ignored, and an empty message aborts # the commit.
| @@ -51,9 +51,9 @@ | |||
| @Trace(businessProcess = RPT_BP_TIMER_SET, reEnabled = true) | |||
| public void createTimer(@RequestBody RPTTimerRequest request) { | |||
| try { | |||
| log.info("Invoking API operation createRPTTimer - args: {}", sanitizeInput(request.toString())); | |||
| log.debug("Invoking API operationcreateRPTTimer - args: {}", request.toString()); | |||
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by ensuring that the toString() method of the request object does not contain any characters that could be used for log injection, such as newlines or special characters. We can achieve this by using a utility method to sanitize the output of toString() before logging it.
- Create a utility method to sanitize the string by removing or escaping potentially harmful characters.
- Use this utility method to sanitize the output of
request.toString()before logging it.
| @@ -53,3 +53,3 @@ | ||
| try { | ||
| log.debug("Invoking API operationcreateRPTTimer - args: {}", request.toString()); | ||
| log.debug("Invoking API operationcreateRPTTimer - args: {}", sanitizeInput(request.toString())); | ||
| rptTimerService.sendMessage(request); |
| @@ -102,9 +106,9 @@ | |||
| public void receiptKo(@RequestBody String request) throws Exception { | |||
|
|
|||
| try { | |||
| log.info("Invoking API operation receiptKo - args: {}", request); | |||
| log.debug("Invoking API operationreceiptKo - args: {}", request); | |||
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user-provided input before logging it. This can be done by removing or escaping any potentially harmful characters such as newlines. We can use a utility method to sanitize the input string.
- General Fix: Sanitize the user input to remove or escape harmful characters before logging.
- Detailed Fix: Implement a utility method to sanitize the input by replacing newline characters with a space or another harmless character. Use this method to sanitize the
requestparameter before logging it. - Specific Changes: Modify the
receiptKomethod insrc/main/java/it/gov/pagopa/wispconverter/controller/ReceiptController.javato sanitize therequestparameter before logging.
| @@ -108,3 +108,4 @@ | ||
| try { | ||
| log.debug("Invoking API operationreceiptKo - args: {}", request); | ||
| String sanitizedRequest = sanitizeInput(request); | ||
| log.debug("Invoking API operationreceiptKo - args: {}", sanitizedRequest); | ||
| receiptService.sendKoPaaInviaRtToCreditorInstitution(List.of(mapper.readValue(request, ReceiptDto.class)).toString()); |
| @@ -52,9 +54,9 @@ | |||
| @Trace(businessProcess = BP_TIMER_SET, reEnabled = true) | |||
| public void createTimer(@RequestBody ReceiptTimerRequest request) { | |||
| try { | |||
| log.info("Invoking API operation createTimer - args: {}", request.toString()); | |||
| log.debug("Invoking API operationcreateTimer - args: {}", request.toString()); | |||
Check failure
Code scanning / CodeQL
Insertion of sensitive information into log files High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the problem, we need to avoid logging sensitive information directly. Instead of logging the entire request object, we should log only non-sensitive information or a sanitized version of the request. We can create a custom method to generate a sanitized string representation of the ReceiptTimerRequest object, excluding sensitive fields.
| @@ -56,3 +56,3 @@ | ||
| try { | ||
| log.debug("Invoking API operationcreateTimer - args: {}", request.toString()); | ||
| log.debug("Invoking API operation createTimer - args: {}", sanitizeRequest(request)); | ||
| receiptTimerService.sendMessage(request); | ||
| @@ -95,2 +95,10 @@ | ||
| } | ||
|
|
||
| private String sanitizeRequest(ReceiptTimerRequest request) { | ||
| return String.format("ReceiptTimerRequest(sessionId=%s, fiscalCode=%s, noticeNumber=%s, expirationTime=%d)", | ||
| request.getSessionId(), | ||
| request.getFiscalCode(), | ||
| request.getNoticeNumber(), | ||
| request.getExpirationTime()); | ||
| } | ||
| } |
| @@ -52,9 +54,9 @@ | |||
| @Trace(businessProcess = BP_TIMER_SET, reEnabled = true) | |||
| public void createTimer(@RequestBody ReceiptTimerRequest request) { | |||
| try { | |||
| log.info("Invoking API operation createTimer - args: {}", request.toString()); | |||
| log.debug("Invoking API operationcreateTimer - args: {}", request.toString()); | |||
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to ensure that any user-provided data included in log entries is properly sanitized. This can be achieved by sanitizing the output of the toString() method before logging it. We will use the existing sanitizeInput method to clean the data.
- Modify the log statement on line 57 to sanitize the output of
request.toString(). - Ensure that the
sanitizeInputmethod is used to clean the data before it is logged.
| @@ -56,3 +56,3 @@ | ||
| try { | ||
| log.debug("Invoking API operationcreateTimer - args: {}", request.toString()); | ||
| log.debug("Invoking API operation createTimer - args: {}", sanitizeInput(request.toString())); | ||
| receiptTimerService.sendMessage(request); |
| @@ -77,10 +79,10 @@ | |||
| @Trace(businessProcess = BP_TIMER_DELETE, reEnabled = true) | |||
| public void deleteTimer(@RequestParam() String paymentTokens) { | |||
| try { | |||
| log.info("Invoking API operation deleteTimer - args: {}", paymentTokens); | |||
| log.debug("Invoking API operationdeleteTimer - args: {}", sanitizeInput(paymentTokens)); | |||
Check failure
Code scanning / CodeQL
Insertion of sensitive information into log files High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the problem, we should avoid logging the paymentTokens directly. Instead, we can log a generic message indicating that the operation was invoked without including the sensitive data. This approach ensures that no sensitive information is written to the log files while still providing useful debug information.
- Remove the logging of
paymentTokensin thedeleteTimermethod. - Log a generic message indicating the invocation of the operation.
| @@ -81,3 +81,3 @@ | ||
| try { | ||
| log.debug("Invoking API operationdeleteTimer - args: {}", sanitizeInput(paymentTokens)); | ||
| log.debug("Invoking API operation deleteTimer"); | ||
| List<String> tokens = Arrays.asList(paymentTokens.split(",")); |
| @@ -100,7 +102,7 @@ | |||
| @PostMapping(value = "/receipts") | |||
| public ResponseEntity<RecoveryReceiptReportResponse> recoverReceiptToBeReSent(@RequestBody RecoveryReceiptRequest request) { | |||
| try { | |||
| log.info("Invoking API operation recoverReceiptToBeReSent - args: {}", sanitizeInput(request.toString())); | |||
| log.debug("Invoking API operationrecoverReceiptToBeReSent - args: {}", request.toString()); | |||
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by replacing potentially harmful characters with safe alternatives. Specifically, we should remove or replace newline characters and other special characters that could be used to manipulate log entries.
The best way to fix this problem without changing existing functionality is to create a utility method that sanitizes the input and use this method before logging the request object. This ensures that any potentially harmful characters are removed or replaced.
| @@ -28,2 +28,9 @@ | ||
|
|
||
| private String sanitizeInput(String input) { | ||
| if (input == null) { | ||
| return null; | ||
| } | ||
| return input.replaceAll("[\\r\\n]", "_"); | ||
| } | ||
|
|
||
| @RestController | ||
| @@ -104,3 +111,3 @@ | ||
| try { | ||
| log.debug("Invoking API operationrecoverReceiptToBeReSent - args: {}", request.toString()); | ||
| log.debug("Invoking API operationrecoverReceiptToBeReSent - args: {}", sanitizeInput(request.toString())); | ||
| return ResponseEntity.ok(recoveryService.recoverReceiptToBeReSent(request)); | ||
| @@ -123,3 +130,3 @@ | ||
| try { | ||
| log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", request.toString()); | ||
| log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", sanitizeInput(request.toString())); | ||
| return ResponseEntity.ok(recoveryService.recoverReceiptToBeReSentByPartition(request)); |
| @Operation(summary = "Execute reconciliation for passed receipts by partition.", description = "Execute reconciliation of all receipts contained in the partitions of the request", security = {@SecurityRequirement(name = "ApiKey")}, tags = {"Recovery"}) | ||
| @ApiResponses(value = { | ||
| @ApiResponse(responseCode = "200", description = "Reconciliation scheduled") | ||
| }) | ||
| @PostMapping(value = "/partitions") | ||
| public ResponseEntity<RecoveryReceiptReportResponse> recoverReceiptToBeReSentByPartition(@RequestBody RecoveryReceiptByPartitionRequest request) { | ||
| try { | ||
| log.info("Invoking API operation recoverReceiptToBeReSentByPartition - args: {}", sanitizeInput(request.toString())); | ||
| log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", request.toString()); |
Check failure
Code scanning / CodeQL
Log Injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the log injection issue, we need to sanitize the user input before logging it. This can be done by replacing potentially dangerous characters in the user input with safe alternatives. Specifically, we should remove or replace newline characters and other special characters that could be used to manipulate log entries.
The best way to fix this problem without changing existing functionality is to sanitize the request object before logging it. We can create a utility method to sanitize the input and use this method in the log statement.
| @@ -123,3 +123,3 @@ | ||
| try { | ||
| log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", request.toString()); | ||
| log.debug("Invoking API operationrecoverReceiptToBeReSentByPartition - args: {}", sanitizeInput(request.toString())); | ||
| return ResponseEntity.ok(recoveryService.recoverReceiptToBeReSentByPartition(request)); |
…/pagopa-wisp-converter into PAGOPA-2221 # Please enter a commit message to explain why this merge is necessary, # especially if it merges an updated upstream into a topic branch. # # Lines starting with '#' will be ignored, and an empty message aborts # the commit.
List of Changes
Motivation and Context
Needed in order to refactor logs and reduce costs
How Has This Been Tested?
Manually
Screenshots (if appropriate):
Types of changes
Checklist: