Log escaping and security enhancements
Starting with Bamboo 10.2, we've introduced several improvements to log handling to enhance security and protect against log injection, in line with OWASP recommendations.
Newline Conversion
Newline characters (\\n, \\r, \\r\\n) are now automatically converted into visible new lines. Each new line includes "(log message continued...)" phrase to indicate continuation from the previous line. This prevents forging log entries by passing newline characters to the log message.
Character Escaping
The characters < and > are escaped to < and > respectively. This prevents the injection of HTML and Javascript code into logs and ensures logs display correctly in HTML-sensitive environments.
Log Line Length Limit
Bamboo enforces a default log line length limit of 10,000 characters.
System properties
-Dbamboo.log.message.escape.enabled
Controls whether log message escaping is enabled. By default, escaping is enabled.-Dbamboo.log.message.max.length
Defines the maximum length for a single log message. The default is set to 10,000 characters.
Examples
Escaping
Prior to Bamboo 10.2
[2023-10-05 14:22:01] <Build started>Compiling source code...
[2023-10-05 14:22:01] <Build started>
(log message continued...) Compiling source code...
Log Line Length Limit
Prior to Bamboo 10.2
2024-12-17 18:16:22,981 INFO [main] [JDKFilterConfigurator] Global serial filter set to JDK 8 DeserializationFilter
Starting from Bamboo 10.2
This example assumes setting the max line length value to 25 characters for demonstration only. The default value is 10000 characters.
2024-12-18 15:12:30,441 INFO [main] [JDKFilterConfigurator] Global serial filter set ... (This log message was truncated from 55 characters to 25 characters)