# Improper Output Neutralization for Logs (CWE-117) The product does not neutralize or incorrectly neutralizes output that is written to logs. - Prevalence: Mittel 3 Sprachen abgedeckt - Impact: Mittel Review empfohlen - Prevention: Dokumentiert 4 Fix-Beispiele **OWASP:** Injection (A03:2021-Injection) - #3 ## Description Log injection attacks occur when user input is written to log files without proper sanitization. This can allow attackers to forge log entries, inject malicious content, or exploit log analysis tools. ## Prevention Präventionsstrategien für Log Injection basierend auf 4 Shoulder-Erkennungsregeln. ### Go Strip newlines and control characters from user input before logging ### JavaScript Strip newline characters from user input before writing to log files Sanitize user input by stripping CRLF characters before writing to logs ### Python Use structured logging with separate fields for user data instead of string interpolation ## Warning Signs - [MEDIUM] unsanitized user input flowing into log statements, enabling log forging attacks - [MEDIUM] user input flowing directly into log messages without sanitization - [LOW] user input flowing to persistent log files without sanitization ## Consequences - Anwendungsdaten ändern - Aktivitäten verbergen - Nicht autorisierten Code ausführen ## Mitigations - Validiere und bereinige alle Eingaben, bevor sie in Logs geschrieben werden - Verwende strukturierte Log-Formate, die Daten von der Log-Syntax trennen - Encodiere Sonderzeichen, wenn benutzergesteuerte Daten in Logs geschrieben werden ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (2 rules) - **Log Injection** [LOW]: Detects user input flowing to persistent log files without sanitization. - Remediation: Sanitize user input by removing newline characters before logging. ```javascript const safe = userInput.replace(/[\r\n]/g, ''); logger.info(safe); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection - **Log Injection** [MEDIUM]: Detects user input flowing to persistent log files without sanitization. - Remediation: Sanitize user input before logging to prevent log forgery: ```javascript const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200); logger.info('Login attempt', { username: sanitize(req.body.username) }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection ### Go (1 rules) - **Log Injection / Log Forging** [MEDIUM]: Detects unsanitized user input flowing into log statements, enabling log forging attacks. - Remediation: Remove newlines and control characters from user input before logging. ```go sanitized := strings.ReplaceAll(userInput, "\n", "") sanitized = strings.ReplaceAll(sanitized, "\r", "") log.Printf("User action: %s", sanitized) ``` Learn more: https://shoulder.dev/learn/go/cwe-117/log-injection ### Typescript (1 rules) - **Log Injection** [MEDIUM]: Detects user input flowing to persistent log files without sanitization. - Remediation: Sanitize user input before logging to prevent log forgery: ```javascript const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200); logger.info('Login attempt', { username: sanitize(req.body.username) }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection ### Python (1 rules) - **Log Injection / Log Forging** [MEDIUM]: Detects user input flowing directly into log messages without sanitization. - Remediation: Use structured logging with separate fields for user data. ```python logging.info("Login attempt", extra={'username': username}) ``` Learn more: https://shoulder.dev/learn/python/cwe-117/log-injection