we use custom logger to log the messages in try catch block, verascan reports error CWE 117: Improper Output Sanitization for Logs.
Code:
protected void Application_Error(object sender, EventArgs e)
{
try
{
Exception unhandledEx = Server.GetLastError();
if (unhandledEx == null)
{
unhandledEx = new ApplicationException("An unhandled exception was caught in Global.asax but LastError was null");
}
LogEntry entry = new LogEntry("An unhandled exception was caught in the Global.asax"
, "Exception"
, 9
, 3095001
, System.Diagnostics.TraceEventType.Critical
, "Unhandled Exception"
, new Dictionary<string, object>());
PopulateExtendedPropertiesHelper.PopulateExtendedProperties(entry.ExtendedProperties);
Logger.Write(entry);
try { ExceptionPolicy.HandleException(unhandledEx, "Unhandled Policy"); }
catch { }
}
catch (Exception ex)
{
try
{
LogEntry entry = new LogEntry("An exception occurred in the Global.asax Application_Error method"
, "Exception"
, 9
, 3095001
, System.Diagnostics.TraceEventType.Error
, ex.Message
, new Dictionary<string, object>());
PopulateExtendedPropertiesHelper.PopulateExtendedProperties(entry.ExtendedProperties);
Logger.Write(entry);
try { ExceptionPolicy.HandleException(ex, "Unhandled Policy"); }
catch { }
}
catch (Exception innerEx)
{
// error handling failed
System.Diagnostics.Debug.Write(innerEx.Message);
}
}
}
}
