Tidy up references and add more precise citations

tommcd · tommcd · commit 721ff5f4b249 · 2025-09-26T16:19:42.000+01:00
Signed-off-by: emcdtho &lt;thomas.mcdermott@ericsson.com&gt;
diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-117/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-117/README.md
@@ -2,17 +2,19 @@
 
 Log injection occurs when untrusted data is written to application logs without proper neutralization, allowing attackers to forge log entries or inject malicious content. Attackers can inject fake log records or hide real ones by inserting newline sequences (`\r` or `\n`), misleading auditors and incident-response teams. This vulnerability can also enable injection of XSS attacks when logs are viewed in vulnerable web applications.
 
+Attackers can exploit this weakness (see [*Attacks on Logs*](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html#attacks-on-logs) [[OWASP 2025]](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html#attacks-on-logs)) by submitting strings containing CRLF sequences that create fake log entries.
+
 Attackers can exploit this weakness by submitting strings containing Carriage Return Line Feed (CRLF) sequences that create fake log entries. For instance, an attacker authenticating with a crafted username can make failed login attempts appear successful in audit logs, potentially framing innocent users or hiding malicious activity.
 
 This vulnerability is classified as **CWE-117: Improper Output Neutralization for Logs** [[CWE-117](https://cwe.mitre.org/data/definitions/117.html)]. It occurs when CRLF sequences are not properly neutralized in log output, which is a specific instance of the broader **CWE-93: Improper Neutralization of CRLF Sequences** [[CWE-93](https://cwe.mitre.org/data/definitions/93.html)] weakness. Attackers exploit this using the **CAPEC-93: Log Injection-Tampering-Forging** [[CAPEC-93](https://capec.mitre.org/data/definitions/93.html)] attack pattern.
 
-The OWASP Top 10 [[OWASP A09:2021](https://owasp.org/www-project-top-ten/)]lists “Security Logging and Monitoring Failures” as a critical security risk, emphasizing that log data must be encoded correctly to prevent injections.
+The OWASP Top 10 [[OWASP A09:2021](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)] lists “Security Logging and Monitoring Failures” as a critical security risk.
 
 ## Noncompliant Code Example
 
 This example demonstrates how raw user input written to logs enables injection attacks:
 
-_[noncompliant01.py](noncompliant01.py):_
+*[noncompliant01.py](noncompliant01.py):*
 
 ```python
 """ Non-compliant Code Example """
@@ -39,9 +41,11 @@ The attacker's input creates what appears to be a legitimate log entry showing a
 
 ## Compliant Solution
 
+As per the OWASP Logging Cheat Sheet [[OWASP 2025]](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html) section on ["Event collection"](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html#event-collection), applications should sanitize event data to prevent log injection and encode data correctly for the logged format.
+
 The `compliant01.py` solution uses a strict allow-list for usernames and returns early on any mismatch, so `CR/LF` or other disallowed characters never reach the logger; for rejected attempts it logs a safe one-line summary with `%r` (escaped newlines), preventing forged secondary log lines. In short: validate upfront and neutralize what you do record.
 
-_[compliant01.py](compliant01.py):_
+*[compliant01.py](compliant01.py):*
 
 ```python
 """ Compliant Code Example """
@@ -104,12 +108,6 @@ WARNING:root:Rejected login attempt: invalid username="guest'\nWARNING:root:User
       <td>Not Available</td>
       <td></td>
     </tr>
-    <tr>
-      <td>PyLint</td>
-      <td>2.17</td>
-      <td>Not Available</td>
-      <td></td>
-    </tr>
     <tr>
       <td>CodeQL</td>
       <td>Latest</td>
@@ -130,49 +128,50 @@ WARNING:root:Rejected login attempt: invalid username="guest'\nWARNING:root:User
 <table>
     <tr>
         <td><a href="http://cwe.mitre.org/">MITRE CWE</a></td>
-        <td>Pillar: <a href="https://cwe.mitre.org/data/definitions/707.html"> CWE-707: Improper Neutralization [CWE-707] </a></td>
+        <td>Pillar: <a href="https://cwe.mitre.org/data/definitions/707.html"> CWE-707: Improper Neutralization</a></td>
     </tr>
     <tr>
         <td><a href="http://cwe.mitre.org/">MITRE CWE</a></td>
-        <td>Base: <a href="https://cwe.mitre.org/data/definitions/117.html">CWE-117: Improper Output Neutralization for Log </a>[CWE-117]</td>
+        <td>Base: <a href="https://cwe.mitre.org/data/definitions/117.html">CWE-117: Improper Output Neutralization for Log </a></td>
     </tr>
     <tr>
         <td><a href="http://cwe.mitre.org/">MITRE CWE</a></td>
-        <td>Base: <a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') </a>[CWE-93]</td>
+        <td>Base: <a href="https://cwe.mitre.org/data/definitions/93.html">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') </a></td>
     </tr>
     <tr>
         <td><a href="http://cwe.mitre.org/">MITRE CWE</a></td>
-        <td>Variant: <a href="https://cwe.mitre.org/data/definitions/113.html">CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') </a>[CWE-113]</td>
+        <td>Variant: <a href="https://cwe.mitre.org/data/definitions/113.html">CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') </a></td>
     </tr>
     <tr>
         <td><a href="http://capec.mitre.org/">MITRE CAPEC</a></td>
-        <td>Detailed: <a href="https://capec.mitre.org/data/definitions/93.html">CAPEC-93: Log Injection-Tampering-Forging </a>[CAPEC-93]</td>
+        <td>Detailed: <a href="https://capec.mitre.org/data/definitions/93.html">CAPEC-93: Log Injection-Tampering-Forging </a></td>
     </tr>
     <tr>
         <td><a href="https://owasp.org/Top10/">OWASP Top 10</a></td>
-        <td><a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/">A09:2021 – Security Logging and Monitoring Failures </a>[OWASP A09:2021]</td>
+        <td><a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/">A09:2021 – Security Logging and Monitoring Failures </a></td>
     </tr>
     <tr>
         <td><a href="https://owasp.org/">OWASP ASVS 4.0</a></td>
-        <td><a href="https://owasp.org/www-project-application-security-verification-standard/">OWASP Application Security Verification Standard (ASVS) </a>[OWASP ASVS 4.0]</td>
+        <td><a href="https://owasp.org/www-project-application-security-verification-standard/">OWASP Application Security Verification Standard (ASVS) </a>. See "V16 Security Logging and Error Handling".
+</td>
+    <tr>
+        <td><a href="https://cheatsheetseries.owasp.org/index.html">OWASP Cheat Sheet Series</a></td>
+        <td><a href="https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html">OWASP Logging Cheat Sheet</a></td>
+    </tr>
     </tr>
     <tr>
         <td>ISO/IEC TR 24772:2013</td>
-        <td><a href="https://www.iso.org/standard/61457.html">ISO/IEC TR 24772:2013 Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use </a>[ISO 24772:2013]</td>
+        <td><a href="https://www.iso.org/standard/61457.html">ISO/IEC TR 24772:2013 Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use </a></td>
     </tr>
     <tr>
         <td>NIST SP 800-92</td>
-        <td><a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management </a>[NIST SP 800-92]</td>
+        <td><a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management </a></td>
     </tr>
 </table>
 
 ## Bibliography
 
 <table>
-    <tr>
-        <td>[CWE-707]</a></td>
-        <td>CWE-707: Improper Neutralization [online]. Available from <a href="https://cwe.mitre.org/data/definitions/707.html">https://cwe.mitre.org/data/definitions/707.html</a>, [Accessed 24 September 2025]</td>
-    </tr>
     <tr>
         <td>[CWE-117]</a></td>
         <td>CWE-117: Improper Output Neutralization for Log [online]. Available from <a href="https://cwe.mitre.org/data/definitions/117.html">https://cwe.mitre.org/data/definitions/117.html</a>, [Accessed 24 September 2025]</td>
@@ -194,16 +193,7 @@ WARNING:root:Rejected login attempt: invalid username="guest'\nWARNING:root:User
         <td>A09:2021 – Security Logging and Monitoring Failures [online]. Available from:<a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/">https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/</a>, [Accessed 24 September 2025]</td>
     </tr>
     <tr>
-        <td>[OWASP ASVS 4.0]</td>
-        <td>OWASP Application Security Verification Standard (ASVS) [online]. Available from: <a href="https://owasp.org/www-project-application-security-verification-standard/">https://owasp.org/www-project-application-security-verification-standard/</a>, [Accessed 24 September 2025]</td>
-    </tr>
-    <tr>
-        <td>[ISO 24772:2013]</td>
-        <td>ISO/IEC TR 24772:2013 Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use [online]. Available from:
-        <a href="https://www.iso.org/standard/61457.html">https://www.iso.org/standard/61457.html</a>, [Accessed 24 September 2025]</td>
-    </tr>
-    <tr>
-        <td>[NIST SP 800-92]</td>
-        <td>NIST SP 800-92 Guide to Computer Security Log Management [online]. Available from:<a href="https://csrc.nist.gov/pubs/sp/800/92/final">https://csrc.nist.gov/pubs/sp/800/92/final</a>, [Accessed 24 September 2025]</td>
+        <td>[OWASP 2025]</td>
+        <td>OWASP Cheat Sheet Series: Logging Cheat Sheet [online]. Available from: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html</a> (see “Event collection” and “Attacks on Logs”). [Accessed 24 September 2025]</td>
     </tr>
 </table>
