Insertion of Sensitive Information into Log File (CWE-532)

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

Prévalence

Moyenne

3 langages couverts

Impact

Élevé

1 règles de sévérité élevée

Prévention

Documentée

3 exemples de correctifs

2 Prévention

Comment corriger cette vulnérabilité

Stratégies de prévention pour Information Exposure Through Logs basées sur 3 règles de détection Shoulder.

🐹 Go Tout voir Go détails →

Logging Sensitive Data MEDIUM

Never log passwords, tokens, or PII; log presence/absence instead

+1 -1 go

  func authenticateUser(username, password string) error {
-     log.Printf("Auth: user=%s password=%s", username, password)
+     log.Printf("Auth attempt: user=%s", username)
      return nil
  }

🟨 JavaScript Tout voir JavaScript détails →

Sensitive Data Exposure in Logs MEDIUM

Exclude sensitive fields from logged data using destructuring or redaction

+2 -1 javascript

  app.post('/login', (req, res) => {
-   console.log('Login request:', req.body);
+   const { password, ...safeBody } = req.body;
+   logger.info('Login request:', safeBody);
  });

🐍 Python Tout voir Python détails →

Sensitive Data in Logging HIGH

Redact sensitive fields before logging; log actions and identifiers, not credentials

+1 -1 python

  import logging
  
  logger = logging.getLogger(__name__)
  
  def login(username, password):
-     logger.info(f"Login: user={username}, password={password}")
+     logger.info(f"Login attempt for user: {username}")
      authenticate(username, password)

3 Détection

Trouvez les vulnérabilités dans votre code

Utilisez Shoulder pour scanner votre code à la recherche de patterns Insertion of Sensitive Information into Log File. 3 règles.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=532

# Or scan entire project
npx @shoulderdev/cli trust .

Règles de Détection (3)

🐹 Go 1 rules

Logging Sensitive Data MEDIUM

Passwords, tokens, or PII logged via log.Printf or similar functions.

🟨 Javascript 1 rules

Sensitive Data Exposure in Logs MEDIUM

Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.) flows directly into logging functions without proper redaction or masking. This rule uses taint flow analysis to detect ACTUAL sensitive data being logged, not just variables with sensitive names. Only triggers when: 1. Data originates from user input (req.body, req.headers, etc.) 2. Contains sensitive field names (password, token, secret, etc.) 3. Flows into logging functions without sanitization Sensitive

🔷 Typescript 1 rules

Sensitive Data Exposure in Logs MEDIUM

🐍 Python 1 rules

Sensitive Data in Logging HIGH

Detects logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credentials. Logged sensitive data can be exposed through log files, monitoring systems, or error tracking services.

4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Insertion of Sensitive Information into Log File. Recherchez-les lors des revues de code et des audits de sécurité.

🟠

logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credenti python-sensitive-data-logging

🟡

when user-provided sensitive data (passwords, tokens, API keys, secrets, etc javascript-sensitive-data-logging

🔍

Scannez votre base de code pour Insertion of Sensitive Information into Log File

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.

npx shoulder trust Parcourir toutes les règles