Merge pull request #623 from rabbitmq/rabbitmq-java-client-622-for-4.x

Sanitise peer certificate values we log

Author: michaelklishin

src/main/java/com/rabbitmq/client/impl/TlsUtils.java

@@ -130,8 +130,8 @@ public static String peerCertificateInfo(Certificate certificate, String prefix)
         try {
             return String.format("%s subject: %s, subject alternative names: %s, " +
                             "issuer: %s, not valid after: %s, X.509 usage extensions: %s",
-                    prefix, c.getSubjectDN().getName(), sans(c, ","), c.getIssuerDN().getName(),
-                    c.getNotAfter(), extensions(c));
+                    stripCRLF(prefix), stripCRLF(c.getSubjectDN().getName()), stripCRLF(sans(c, ",")), stripCRLF(c.getIssuerDN().getName()),
+                    c.getNotAfter(), stripCRLF(extensions(c)));
         } catch (Exception e) {
             return "Error while retrieving " + prefix + " certificate information";
         }
@@ -173,6 +173,14 @@ public static String extensionPrettyPrint(String oid, byte[] derOctetString, X50
         }
     }
 
+    /**
+     * Strips carriage return (CR) and line feed (LF) characters to mitigate CWE-117.
+     * @return sanitised string value
+     */
+    public static String stripCRLF(String value) {
+        return value.replaceAll("\r", "").replaceAll("\n", "");
+    }
+
     private static String extensions(X509Certificate certificate) {
         List<String> extensions = new ArrayList<String>();
         for (String oid : certificate.getCriticalExtensionOIDs()) {