CodeQL: Sanitize log entries created from user input (#1203)

claudiamurialdo · claudiamurialdo · web-flow · commit 971322e3f7d5 · 2025-10-08T16:23:44.000-03:00
Co-authored-by: claudiamurialdo &lt;c.murialdo@globant.com&gt;
diff --git a/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs b/dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs
@@ -3721,7 +3721,7 @@ internal string ClientTimeZoneId
 				if (!DateTimeUtil.ValidTimeZone(sTZ))
 				{
 					sTZ = (string)GetUndecodedCookie(GX_REQUEST_TIMEZONE);
-					GXLogging.Debug(Logger, "Try reading undecoded ClientTimeZone GX_REQUEST_TIMEZONE cookie:", sTZ);
+					GXLogging.DebugSanitized(Logger, "Try reading undecoded ClientTimeZone GX_REQUEST_TIMEZONE cookie:", sTZ);
 				}
 				try
 				{
@@ -3733,7 +3733,7 @@ internal string ClientTimeZoneId
 						}
 						catch (Exception ex)//DateTimeZoneNotFound
 						{
-							GXLogging.Warn(Logger, $"Client timezone not found: {sTZ}", ex);
+							GXLogging.WarnSanitized(Logger, ex, $"Client timezone not found: {sTZ}");
 						}
 						_currentTimeZoneId = DateTimeZoneProviders.Tzdb.GetSystemDefault().Id;
 						GXLogging.Warn(Logger, $"Setting Client timezone to System default: {_currentTimeZoneId}");
diff --git a/dotnet/src/dotnetframework/GxClasses/Data/GXDataCommon.cs b/dotnet/src/dotnetframework/GxClasses/Data/GXDataCommon.cs
@@ -940,7 +940,7 @@ protected static byte[] GetBinary(string fileNameParm, bool dbBlob)
 							}
 							break;
 						default:
-							GXLogging.Error(log, "Schema not supported: ", fileName);
+							GXLogging.WarnSanitized(log, "Schema not supported: ", fileName);
 							break;
 					}				
 					GXLogging.Debug(log, "GetBinary fileName ", uri.AbsolutePath, ",ReadBytes:", binary != null ? binary.Length.ToString() : "0");
diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/GXLogging.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/GXLogging.cs
@@ -844,6 +844,18 @@ internal static void WarnSanitized(IGXLogger log, string msg, params string[] li
 				log.LogWarning(strBuilder.ToString());
 			}
 		}
+		internal static void WarnSanitized(IGXLogger log, Exception ex, params string[] list)
+		{
+			if (log.IsDebugEnabled)
+			{
+				StringBuilder strBuilder = new StringBuilder();
+				foreach (string parm in list)
+				{
+					strBuilder.Append(StringUtil.Sanitize(parm, StringUtil.LogUserEntryWhiteList));
+				}
+				log.LogWarning(ex, strBuilder.ToString());
+			}
+		}
 		public static void Warn(IGXLogger logger, string msg, params string[] list)
 		{
 			if (logger != null)

Original file line number	Diff line number	Diff line change
`@@ -3721,7 +3721,7 @@ internal string ClientTimeZoneId`
`3721`	`3721`	`if (!DateTimeUtil.ValidTimeZone(sTZ))`
`3722`	`3722`	`{`
`3723`	`3723`	`sTZ = (string)GetUndecodedCookie(GX_REQUEST_TIMEZONE);`
`3724`		`- GXLogging.Debug(Logger, "Try reading undecoded ClientTimeZone GX_REQUEST_TIMEZONE cookie:", sTZ);`
	`3724`	`+ GXLogging.DebugSanitized(Logger, "Try reading undecoded ClientTimeZone GX_REQUEST_TIMEZONE cookie:", sTZ);`
`3725`	`3725`	`}`
`3726`	`3726`	`try`
`3727`	`3727`	`{`
`@@ -3733,7 +3733,7 @@ internal string ClientTimeZoneId`
`3733`	`3733`	`}`
`3734`	`3734`	`catch (Exception ex)//DateTimeZoneNotFound`
`3735`	`3735`	`{`
`3736`		`- GXLogging.Warn(Logger, $"Client timezone not found: {sTZ}", ex);`
	`3736`	`+ GXLogging.WarnSanitized(Logger, ex, $"Client timezone not found: {sTZ}");`
`3737`	`3737`	`}`
`3738`	`3738`	`_currentTimeZoneId = DateTimeZoneProviders.Tzdb.GetSystemDefault().Id;`
`3739`	`3739`	`GXLogging.Warn(Logger, $"Setting Client timezone to System default: {_currentTimeZoneId}");`
Original file line number	Diff line number	Diff line change
`@@ -940,7 +940,7 @@ protected static byte[] GetBinary(string fileNameParm, bool dbBlob)`
`940`	`940`	`}`
`941`	`941`	`break;`
`942`	`942`	`default:`
`943`		`- GXLogging.Error(log, "Schema not supported: ", fileName);`
	`943`	`+ GXLogging.WarnSanitized(log, "Schema not supported: ", fileName);`
`944`	`944`	`break;`
`945`	`945`	`}`
`946`	`946`	`GXLogging.Debug(log, "GetBinary fileName ", uri.AbsolutePath, ",ReadBytes:", binary != null ? binary.Length.ToString() : "0");`
Original file line number	Diff line number	Diff line change
`@@ -844,6 +844,18 @@ internal static void WarnSanitized(IGXLogger log, string msg, params string[] li`
`844`	`844`	`log.LogWarning(strBuilder.ToString());`
`845`	`845`	`}`
`846`	`846`	`}`
	`847`	`+ internal static void WarnSanitized(IGXLogger log, Exception ex, params string[] list)`
	`848`	`+ {`
	`849`	`+ if (log.IsDebugEnabled)`
	`850`	`+ {`
	`851`	`+ StringBuilder strBuilder = new StringBuilder();`
	`852`	`+ foreach (string parm in list)`
	`853`	`+ {`
	`854`	`+ strBuilder.Append(StringUtil.Sanitize(parm, StringUtil.LogUserEntryWhiteList));`
	`855`	`+ }`
	`856`	`+ log.LogWarning(ex, strBuilder.ToString());`
	`857`	`+ }`
	`858`	`+ }`
`847`	`859`	`public static void Warn(IGXLogger logger, string msg, params string[] list)`
`848`	`860`	`{`
`849`	`861`	`if (logger != null)`