From ed75b8e53a92bbd7a3f7ae094c7dcff4c2e98627 Mon Sep 17 00:00:00 2001 From: Rick M Date: Sat, 4 Mar 2023 10:25:42 -0500 Subject: [PATCH] Formatting and content tweaks --- .../vulnerabilities/Poor_Logging_Practice.md | 29 +++++++++---------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/pages/vulnerabilities/Poor_Logging_Practice.md b/pages/vulnerabilities/Poor_Logging_Practice.md index a82d8837b..0f01c9263 100644 --- a/pages/vulnerabilities/Poor_Logging_Practice.md +++ b/pages/vulnerabilities/Poor_Logging_Practice.md @@ -6,7 +6,6 @@ author: Weilin Zhong contributors: Imifos, KirstenS, kingthorin permalink: /vulnerabilities/Poor_Logging_Practice tags: vulnerability, Poor Logging Practice -auto-migrated: 1 --- @@ -29,7 +28,7 @@ The following statement errantly declares a non-static logger. Logger.getLogger(MyClass.class); ``` -### Poor Logging Practice: Multiple Loggers +### Multiple Loggers It is a poor logging practice to use multiple loggers rather than logging levels in a single class. @@ -41,11 +40,11 @@ The following code errantly declares multiple loggers. ```java public class MyClass { - private final static Logger good = + private final static Logger GOOD = Logger.getLogger(MyClass.class); - private final static Logger bad = + private final static Logger BAD = Logger.getLogger(MyClass.class); - private final static Logger ugly = + private final static Logger UGLY = Logger.getLogger(MyClass.class); ... } @@ -53,9 +52,9 @@ The following code errantly declares multiple loggers. ### Use of a System Output Stream -Using System.out or System.err rather than a dedicated logging facility +Using `System.out` or `System.err` rather than a dedicated logging facility makes it difficult to monitor the behavior of the program. It can also -cause log messages accidentally returned to the end users, revealing +cause log messages to accidentally be returned to the end users, revealing internal information to attackers. The first Java program that a developer learns to write often looks like @@ -71,23 +70,23 @@ this: While most programmers go on to learn many nuances and subtleties about Java, a surprising number hang on to this first lesson and never give up -on writing messages to standard output using System.out.println(). +on writing messages to standard output using `System.out.println()`. The problem is that writing directly to standard output or standard error is often used as an unstructured form of logging. Structured -logging facilities provide features like logging levels, uniform -formatting, a logger identifier, timestamps, and, perhaps most -critically, the ability to direct the log messages to the right place. -When the use of system output streams is jumbled together with the code +logging facilities provide features like: Logging levels, uniform +formatting, a logger identifier, timestamps, and perhaps most +critically; the ability to direct the log messages to the right place. +When the use of system output streams is jumbled together with code that uses loggers properly, the result is often a well-kept log that is missing critical information. In addition, using system output streams -can also cause log messages accidentally returned to end users, -revealing application internal information to attackers. +and can also cause log messages to accidentally be returned to end users, +revealing an application's internal information to attackers. Developers widely accept the need for structured logging, but many continue to use system output streams in their "pre-production" development. If the code you are reviewing is past the initial phases of -development, use of System.out or System.err may indicate an oversight +development, use of `System.out` or `System.err` may indicate an oversight in the move to a structured logging system. ## References