Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.
Cómo corregir esta vulnerabilidad
Estrategias de prevención para Information Exposure Through Logs basadas en 3 reglas de detección de Shoulder.
Never log passwords, tokens, or PII; log presence/absence instead
func authenticateUser(username, password string) error { - log.Printf("Auth: user=%s password=%s", username, password) + log.Printf("Auth attempt: user=%s", username) return nil }
Exclude sensitive fields from logged data using destructuring or redaction
app.post('/login', (req, res) => { - console.log('Login request:', req.body); + const { password, ...safeBody } = req.body; + logger.info('Login request:', safeBody); });
Redact sensitive fields before logging; log actions and identifiers, not credentials
import logging logger = logging.getLogger(__name__) def login(username, password): - logger.info(f"Login: user={username}, password={password}") + logger.info(f"Login attempt for user: {username}") authenticate(username, password)
Encuentra vulnerabilidades en tu código
Usa Shoulder para escanear tu código en busca de patrones Insertion of Sensitive Information into Log File. 3 reglas.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=532 # Or scan entire project npx @shoulderdev/cli trust .
Reglas de Detección (3)
Qué buscar en las revisiones de código
Estos patrones indican vulnerabilidades potenciales de Insertion of Sensitive Information into Log File. Búscalos durante las revisiones de código y auditorías de seguridad.
Escanea tu base de código para Insertion of Sensitive Information into Log File
Shoulder CLI encuentra patrones vulnerables en toda tu base de código.