CodeQL: Sanitize log entries created from user input (#1202)

* Sanitize log entries created by user

* Add InfoSanitized.

* Santitize both parameters in WarnSanitized and InfoSanitized

---------

Co-authored-by: claudiamurialdo <c.murialdo@globant.com>

Author: claudiamurialdo

dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs

@@ -3716,7 +3716,7 @@ internal string ClientTimeZoneId
 				if (String.IsNullOrEmpty(sTZ))
 				{
 					sTZ = (string)GetCookie(GX_REQUEST_TIMEZONE);
-					GXLogging.Debug(Logger, "ClientTimeZone GX_REQUEST_TIMEZONE cookie:", sTZ);
+					GXLogging.DebugSanitized(Logger, "ClientTimeZone GX_REQUEST_TIMEZONE cookie:", sTZ);
 				}
 				if (!DateTimeUtil.ValidTimeZone(sTZ))
 				{

dotnet/src/dotnetframework/GxClasses/Core/GXUtilsCommon.cs

@@ -3999,7 +3999,7 @@ public static bool AbsoluteUri(string fileName, out Uri result)
 				GXLogging.Debug(log, "Absolute uri:", fileName, " resolved to " + result);
 				return true;
 			}
-			GXLogging.Info(log, "Uri ", fileName, " resolved to:" + result);
+			GXLogging.InfoSanitized(log, "Uri ", fileName, " resolved to:" + result);
 			return false; ;
 		}
 

dotnet/src/dotnetframework/GxClasses/Data/GXDataCommon.cs

@@ -935,7 +935,7 @@ protected static byte[] GetBinary(string fileNameParm, bool dbBlob)
 										return binary;
 									}
 								}
-								GXLogging.Debug(log, "GxCommand. An error occurred while getting data from file path ", uri.AbsolutePath, e);
+								GXLogging.DebugSanitized(log, e, "GxCommand. An error occurred while getting data from file path ", uri.AbsolutePath);
 								throw e;
 							}
 							break;

dotnet/src/dotnetframework/GxClasses/Data/GXDataPostgreSQL.cs

@@ -343,9 +343,9 @@ public override long GetBytes(IGxDbCommand cmd, IDataRecord DR, int i, long fiel
 		}
 		public override void SetParameter(IDbDataParameter parameter, object value)
 		{
-			if (value is Guid)
+			if (value is Guid guid)
 			{
-				value = value.ToString();
+				value = guid.ToString();
 			}
 #if NETCORE
 			else if (value is GxEmbedding embedding)

dotnet/src/dotnetframework/GxClasses/Helpers/GXLogging.cs

@@ -535,7 +535,7 @@ public static void ErrorSanitized(ILog log, string msg, Exception ex)
 		{
 			if (log.IsErrorEnabled)
 			{
-				log.Error(Utils.StringUtil.Sanitize(msg, Utils.StringUtil.LogUserEntryWhiteList), ex);
+				log.Error(StringUtil.Sanitize(msg, StringUtil.LogUserEntryWhiteList), ex);
 			}
 		}
 		public static void Error(ILog log, string msg1, string msg2, Exception ex)
@@ -598,7 +598,7 @@ public static void DebugSanitized(ILog log, Exception ex, params string[] list)
 				StringBuilder msg = new StringBuilder();
 				foreach (string parm in list)
 				{
-					msg.Append(Utils.StringUtil.Sanitize(parm, Utils.StringUtil.LogUserEntryWhiteList));
+					msg.Append(StringUtil.Sanitize(parm, StringUtil.LogUserEntryWhiteList));
 				}
 				if (ex != null)
 					log.Debug(msg, ex);
@@ -749,7 +749,7 @@ internal static void ErrorSanitized(IGXLogger logger, string msg, Exception ex)
 			{
 				if (logger.IsErrorEnabled)
 				{
-					logger.LogError(Utils.StringUtil.Sanitize(msg, Utils.StringUtil.LogUserEntryWhiteList), ex);
+					logger.LogError(StringUtil.Sanitize(msg, StringUtil.LogUserEntryWhiteList), ex);
 				}
 			}
 		}
@@ -832,6 +832,18 @@ public static void Warn(IGXLogger logger, params string[] list)
 				}
 			}
 		}
+		internal static void WarnSanitized(IGXLogger log, string msg, params string[] list)
+		{
+			if (log.IsDebugEnabled)
+			{
+				StringBuilder strBuilder = new StringBuilder(StringUtil.Sanitize(msg, StringUtil.LogUserEntryWhiteList));
+				foreach (string parm in list)
+				{
+					strBuilder.Append(StringUtil.Sanitize(parm, StringUtil.LogUserEntryWhiteList));
+				}
+				log.LogWarning(strBuilder.ToString());
+			}
+		}
 		public static void Warn(IGXLogger logger, string msg, params string[] list)
 		{
 			if (logger != null)
@@ -861,7 +873,7 @@ internal static void DebugSanitized(IGXLogger logger, Exception ex, params strin
 					StringBuilder msg = new StringBuilder();
 					foreach (string parm in list)
 					{
-						msg.Append(Utils.StringUtil.Sanitize(parm, Utils.StringUtil.LogUserEntryWhiteList));
+						msg.Append(StringUtil.Sanitize(parm, StringUtil.LogUserEntryWhiteList));
 					}
 					if (ex != null)
 						logger.LogDebug(ex, msg.ToString());
@@ -969,6 +981,21 @@ public static void Info(IGXLogger logger, string msg, params string[] list)
 				}
 			}
 		}
+		internal static void InfoSanitized(IGXLogger logger, string msg, params string[] list)
+		{
+			if (logger != null)
+			{
+				if (logger.IsInfoEnabled)
+				{
+					StringBuilder stringBuilder = new StringBuilder(StringUtil.Sanitize(msg, StringUtil.LogUserEntryWhiteList));
+					foreach (string parm in list)
+					{
+						stringBuilder.Append(StringUtil.Sanitize(parm, StringUtil.LogUserEntryWhiteList));
+					}
+					logger.LogInfo(stringBuilder.ToString());
+				}
+			}
+		}
 		#endregion
 	}
 }

dotnet/src/dotnetframework/GxClasses/Helpers/GXMetadata.cs

@@ -111,7 +111,7 @@ static public Type FindType(string defaultAssemblyName, string ns, string clssWi
 				}
 				catch(FileNotFoundException)
 				{
-					GXLogging.Warn(log, "Assembly: ", defaultAssemblyName, "not found");
+					GXLogging.WarnSanitized(log, "Assembly: ", defaultAssemblyName, "not found");
 				}
 				catch(Exception ex)
 				{

dotnet/src/dotnetframework/GxClasses/Middleware/GXHttpServices.cs

@@ -225,7 +225,7 @@ public override void webExecute()
 				}
 				if (code != 0)
 				{
-					GXLogging.Error(log, "Error executing ", commandType);
+					GXLogging.WarnSanitized(log, "Error executing ", commandType);
 					context.HttpContext.Response.Write(ERROR_LINE);
 				}
 			}