Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Formatting and content tweaks #736

Merged
merged 1 commit into from
Mar 4, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 14 additions & 15 deletions pages/vulnerabilities/Poor_Logging_Practice.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ author: Weilin Zhong
contributors: Imifos, KirstenS, kingthorin
permalink: /vulnerabilities/Poor_Logging_Practice
tags: vulnerability, Poor Logging Practice
auto-migrated: 1

---

Expand All @@ -29,7 +28,7 @@ The following statement errantly declares a non-static logger.
Logger.getLogger(MyClass.class);
```

### Poor Logging Practice: Multiple Loggers
### Multiple Loggers

It is a poor logging practice to use multiple loggers rather than
logging levels in a single class.
Expand All @@ -41,21 +40,21 @@ The following code errantly declares multiple loggers.

```java
public class MyClass {
private final static Logger good =
private final static Logger GOOD =
Logger.getLogger(MyClass.class);
private final static Logger bad =
private final static Logger BAD =
Logger.getLogger(MyClass.class);
private final static Logger ugly =
private final static Logger UGLY =
Logger.getLogger(MyClass.class);
...
}
```

### Use of a System Output Stream

Using System.out or System.err rather than a dedicated logging facility
Using `System.out` or `System.err` rather than a dedicated logging facility
makes it difficult to monitor the behavior of the program. It can also
cause log messages accidentally returned to the end users, revealing
cause log messages to accidentally be returned to the end users, revealing
internal information to attackers.

The first Java program that a developer learns to write often looks like
Expand All @@ -71,23 +70,23 @@ this:

While most programmers go on to learn many nuances and subtleties about
Java, a surprising number hang on to this first lesson and never give up
on writing messages to standard output using System.out.println().
on writing messages to standard output using `System.out.println()`.

The problem is that writing directly to standard output or standard
error is often used as an unstructured form of logging. Structured
logging facilities provide features like logging levels, uniform
formatting, a logger identifier, timestamps, and, perhaps most
critically, the ability to direct the log messages to the right place.
When the use of system output streams is jumbled together with the code
logging facilities provide features like: Logging levels, uniform
formatting, a logger identifier, timestamps, and perhaps most
critically; the ability to direct the log messages to the right place.
When the use of system output streams is jumbled together with code
that uses loggers properly, the result is often a well-kept log that is
missing critical information. In addition, using system output streams
can also cause log messages accidentally returned to end users,
revealing application internal information to attackers.
and can also cause log messages to accidentally be returned to end users,
revealing an application's internal information to attackers.

Developers widely accept the need for structured logging, but many
continue to use system output streams in their "pre-production"
development. If the code you are reviewing is past the initial phases of
development, use of System.out or System.err may indicate an oversight
development, use of `System.out` or `System.err` may indicate an oversight
in the move to a structured logging system.

## References
Expand Down