Create r2c-david.java

[r2c-david]

No description provided.

[semgrep-na-workshop]

When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. Please use Jsoup.clean() to sanitize logger data.

View Dataflow Graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>r2c-david.java</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0("<b>[Line: 7]</b> request.getParameter(#quot;param#quot;)")
        end
        %% Intermediate

        %% Sink

        subgraph Sink
            direction LR

            v1("<b>[Line: 7]</b> log.info(#quot;foo#quot;+request.getParameter(#quot;param#quot;));")
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    File0:::invis

    %% Connections

    Source --> Sink

    %% Clickable

    click v0 href "https://github.com/Semgrep-NA-Workshop/JavaSpringVulny-app/blob/de5c809ae7f572507cacd9f4831419c3f1f3e940/r2c-david.java#L7" "View in source" _blank
    click v1 href "https://github.com/Semgrep-NA-Workshop/JavaSpringVulny-app/blob/de5c809ae7f572507cacd9f4831419c3f1f3e940/r2c-david.java#L7" "View in source" _blank

Loading

_{Ignore this finding from crlf-injection-logs-deepsemgrep-customized.}

[semgrep-na-workshop]

Semgrep Assistant thinks you might be able to fix the finding like this:

Suggested change

	log.info("foo"+request.getParameter("param"));
	log.info("foo" + Jsoup.clean(request.getParameter("param"), Whitelist.none()));

_{AI-generated comment. Please review the code carefully.}