CRLF injection issue (Improper Output Neutralization for Logs) /src/lib/connectors/xhr.js 76


(Sungho Maeung) #1

Hi, all

we used a node project that used for elasticsearch javascript pacakge ( 14.2.2) which is the latest version.

We have got security audit report by a security firm that based on elasticsearch (14.2.2) for javascript package that it is possible to have CRLF injection issue (Improper Output Neutralization for Logs) on /src/lib/connectors/xhr.js 76

whether it is possible to have a log forging attack by line#76

73:   xhr.onreadystatechange = function () {
74:    if (xhr.readyState === 4) {
75:      clearTimeout(timeoutId);
76:      log.trace(params.method, url, params.body, xhr.responseText, xhr.status);
      var err = xhr.status ? void 0 : new ConnectionFault(xhr.statusText || 'Request failed to complete.');
      cb(err, xhr.responseText, xhr.status);
    }
  };

is it already identified from elasticsearch community ? or any configuration set up to make disable log.trace() ?


(Thiago Souza) #2

The log is just a logger abstraction which can be implemented in many different ways.

If you need extra logic due to security concerns, then you can just implement and use your own logger.


(Sungho Maeung) #3

thanks for the information. I set up as below disable trace, only enable for error.

var client = new elasticsearch.Client({ log: 'error' });


(Thiago Souza) #4

Yes, that will also work :slight_smile:


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.