Insertion of Sensitive Information into Log File (CWE-532)

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

Verbreitung

Mittel

3 Sprachen abgedeckt

Auswirkung

Hoch

1 Regeln mit hohem Schweregrad

Prävention

Dokumentiert

3 Fix-Beispiele

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Information Exposure Through Logs basierend auf 3 Shoulder-Erkennungsregeln.

🐹 Go Alle anzeigen Go Details →

Logging Sensitive Data MEDIUM

Never log passwords, tokens, or PII; log presence/absence instead

+1 -1 go

  func authenticateUser(username, password string) error {
-     log.Printf("Auth: user=%s password=%s", username, password)
+     log.Printf("Auth attempt: user=%s", username)
      return nil
  }

🟨 JavaScript Alle anzeigen JavaScript Details →

Sensitive Data Exposure in Logs MEDIUM

Exclude sensitive fields from logged data using destructuring or redaction

+2 -1 javascript

  app.post('/login', (req, res) => {
-   console.log('Login request:', req.body);
+   const { password, ...safeBody } = req.body;
+   logger.info('Login request:', safeBody);
  });

🐍 Python Alle anzeigen Python Details →

Sensitive Data in Logging HIGH

Redact sensitive fields before logging; log actions and identifiers, not credentials

+1 -1 python

  import logging
  
  logger = logging.getLogger(__name__)
  
  def login(username, password):
-     logger.info(f"Login: user={username}, password={password}")
+     logger.info(f"Login attempt for user: {username}")
      authenticate(username, password)

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Insertion of Sensitive Information into Log File-Mustern zu scannen. 3 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=532

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (3)

🐹 Go 1 rules

Logging Sensitive Data MEDIUM

Passwords, tokens, or PII logged via log.Printf or similar functions.

🟨 Javascript 1 rules

Sensitive Data Exposure in Logs MEDIUM

Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.) flows directly into logging functions without proper redaction or masking. This rule uses taint flow analysis to detect ACTUAL sensitive data being logged, not just variables with sensitive names. Only triggers when: 1. Data originates from user input (req.body, req.headers, etc.) 2. Contains sensitive field names (password, token, secret, etc.) 3. Flows into logging functions without sanitization Sensitive

🔷 Typescript 1 rules

Sensitive Data Exposure in Logs MEDIUM

🐍 Python 1 rules

Sensitive Data in Logging HIGH

Detects logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credentials. Logged sensitive data can be exposed through log files, monitoring systems, or error tracking services.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Insertion of Sensitive Information into Log File-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠

logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credenti python-sensitive-data-logging

🟡

when user-provided sensitive data (passwords, tokens, API keys, secrets, etc javascript-sensitive-data-logging

🔍

Scanne deine Codebasis nach Insertion of Sensitive Information into Log File

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen