![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 65%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Developer technologies | .NET | Entity Framework Core
A lightweight, extensible, open-source, and cross-platform version of the Entity Framework data access technology.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,@DIEGO CAMILO SILVA TELLEZ. Welcome to Microsoft Q&A.
This error is not because Microsoft.EntityFrameworkCore.SQLServer.dll is unsafe. In .Net, this security flaw usually occurs when writing logs.
As the description says, if a user maliciously or accidentally inserts end-of-line characters (CR [carriage return], LF [line feed], or CRLF [a combination of the two]) into the data written to the log, it may cause problems when parsing the log, or be used by attackers to forge log entries.
You could prevent it as follows:
- Before writing any untrusted data to the log file, you should always properly validate and sanitize the data.
- Prevent characters that cause CRLF injection from being written to the log. Replace all
\rand\n(respectively) with other characters. - Encode the data before writing to the log.
For a more detailed explanation, you could refer to the official documentation: CWE 117: Improper Output Sanitization for Logs | ASP.NET | Veracode
Some security reminders when writing logs(Determine whether it is necessary based on your actual situation):
- Make sure all log messages are properly neutralized before output to avoid directly outputting user-entered data
- Filter out all sensitive information such as passwords, credit card numbers, etc. before logging. You could use regular expressions or other string processing methods to achieve this.
- Limit access to log files. This could be achieved through the file permission settings of the operating system or the access control mechanism of the application.
- Audit log files regularly to check for abnormal or suspicious log records.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)