How to make CodeQL understand that log injection is being sanitized?

[Sarastro72]

I have a case where a user input String can be printed to the log, so I rightfully get a java/log-injection alert. But after adding sanitization of the input I still get the warning. I realize that I can just mark it as a false positive. But should't it be possible for CodeQL to realize that the String is now sanitized?

My first sanitization attempt was a whitelist approach where only the expected characters are allowed.

        return identifier.replaceAll("[^a-zA-Z0-9_\\-+/]", "");

When CodeQL didn't get that, I added an example from right out of the CodeQL documentation where newlines are explicitly removed.

        return identifier
              .replace("\n", "")
              .replaceAll("[^a-zA-Z0-9_\\-+/]", "");

I can see in the alert that the sanitization code is in the path, but the alert is still there. Can CodeQL detect sanitization by itself at all, or is a "False Positive" flag the only way around this?

[hvitved]

Hi

I think the query is maybe lacking appropriate sanitizers, but I'll let @github/codeql-java have a further look.

[atorralba]

Hey @Sarastro72,

@hvitved is right. Our log injection query was missing some sanitizers to match the recommendations given in the query help.

This is addressed in #10707, thanks for reporting the issue.

[Sarastro72]

Thank you for a very fast reply and PR! ⭐