# Improper Output Neutralization for Logs (CWE-117)

The product does not neutralize or incorrectly neutralizes output that is written to logs.

**Stack:** JavaScript

- Prevalence: मध्यम 3 भाषाएँ कवर की गईं
- Impact: मध्यम समीक्षा अनुशंसित
- Prevention: प्रलेखित 4 फिक्स उदाहरण

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Log injection attacks occur when user input is written to log files without proper sanitization. This can allow attackers to forge log entries, inject malicious content, or exploit log analysis tools.

## Prevention

2 Shoulder डिटेक्शन नियमों पर आधारित Log Injection के लिए रोकथाम रणनीतियाँ।

### JavaScript

Strip newline characters from user input before writing to log files

Sanitize user input by stripping CRLF characters before writing to logs

## Warning Signs

- [LOW] user input flowing to persistent log files without sanitization

## Consequences

- एप्लिकेशन डेटा संशोधित करना
- गतिविधियाँ छिपाना
- अनधिकृत कोड निष्पादित करना

## Mitigations

- लॉग में लिखने से पहले सभी इनपुट को सत्यापित और सैनिटाइज़ करें
- ऐसे संरचित लॉगिंग प्रारूपों का उपयोग करें जो डेटा को लॉग सिंटैक्स से अलग रखें
- उपयोगकर्ता-नियंत्रित डेटा को लॉग में लिखते समय विशेष वर्णों को एनकोड करें

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (2 rules)

- **Log Injection** [LOW]: Detects user input flowing to persistent log files without sanitization.
  - Remediation: Sanitize user input by removing newline characters before logging.

```javascript
const safe = userInput.replace(/[\r\n]/g, '');
logger.info(safe);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection
- **Log Injection** [MEDIUM]: Detects user input flowing to persistent log files without sanitization.
  - Remediation: Sanitize user input before logging to prevent log forgery:

```javascript
const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200);
logger.info('Login attempt', { username: sanitize(req.body.username) });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection

### Typescript (1 rules)

- **Log Injection** [MEDIUM]: Detects user input flowing to persistent log files without sanitization.
  - Remediation: Sanitize user input before logging to prevent log forgery:

```javascript
const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200);
logger.info('Login attempt', { username: sanitize(req.body.username) });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection