log forging example

octodemo · Sep 26, 2024 · 71d6ac8 · 71d6ac8
1 parent 93b8a66
commit 71d6ac8
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/LogForgingMiddleware.cs b/LogForgingMiddleware.cs
@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using System;
+using System.Threading.Tasks;
+
+public class LogForgingMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly ILogger<LogForgingMiddleware> _logger;
+
+    public LogForgingMiddleware(RequestDelegate next, ILogger<LogForgingMiddleware> logger)
+    {
+        _next = next;
+        _logger = logger;
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        string username = context.Request.Query["username"];
+        // BAD: User input logged as-is
+        _logger.LogWarning(username + " log in requested.");
+        // GOOD: User input logged with new-lines removed
+        _logger.LogWarning(username?.Replace(Environment.NewLine, "") + " log in requested");
+
+        await _next(context);
+    }
+}
diff --git a/Program.cs b/Program.cs
@@ -27,5 +27,6 @@
 app.UseAuthorization();
 
 app.MapControllers();
+app.UseMiddleware<LogForgingMiddleware>();
 
 app.Run();