# Insertion of Sensitive Information into Log File (CWE-532)

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

**Stack:** JavaScript

- Prevalence: मध्यम 3 भाषाएँ कवर की गईं
- Impact: उच्च 1 उच्च गंभीरता वाले नियम
- Prevention: प्रलेखित 3 फिक्स उदाहरण

**OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9

## Description

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

## Prevention

1 Shoulder डिटेक्शन नियमों पर आधारित Information Exposure Through Logs के लिए रोकथाम रणनीतियाँ।

### JavaScript

Exclude sensitive fields from logged data using destructuring or redaction

## Warning Signs

- [MEDIUM] when user-provided sensitive data (passwords, tokens, API keys, secrets, etc

## Consequences

- एप्लिकेशन डेटा पढ़ना
- विशेषाधिकार प्राप्त करना

## Mitigations

- पासवर्ड या टोकन जैसी संवेदनशील जानकारी कभी लॉग न करें
- लॉग डेटा वर्गीकरण और फ़िल्टरिंग लागू करें
- लॉग करने से पहले संवेदनशील डेटा को मास्क या रिडैक्ट करें

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Sensitive Data Exposure in Logs** [MEDIUM]: Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.)
flows directly into logging functions without proper redaction or masking.

This rule uses taint flow analysis to detect ACTUAL sensitive data being logged,
not just variables with sensitive names. Only triggers when:
1. Data originates from user input (req.body, req.headers, etc.)
2. Contains sensitive field names (password, token, secret, etc.)
3. Flows into logging functions without sanitization

Sensitive 
  - Remediation: Exclude sensitive fields from logged data:

```javascript
const { password, ...safeBody } = req.body;
console.log('Request body:', safeBody);

function redactToken(token) {
  return token ? token.substring(0, 4) + '***' : '';
}
logger.info('Token:', redactToken(authToken));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-532/sensitive-data-logging

### Typescript (1 rules)

- **Sensitive Data Exposure in Logs** [MEDIUM]: Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.)
flows directly into logging functions without proper redaction or masking.

This rule uses taint flow analysis to detect ACTUAL sensitive data being logged,
not just variables with sensitive names. Only triggers when:
1. Data originates from user input (req.body, req.headers, etc.)
2. Contains sensitive field names (password, token, secret, etc.)
3. Flows into logging functions without sanitization

Sensitive 
  - Remediation: Exclude sensitive fields from logged data:

```javascript
const { password, ...safeBody } = req.body;
console.log('Request body:', safeBody);

function redactToken(token) {
  return token ? token.substring(0, 4) + '***' : '';
}
logger.info('Token:', redactToken(authToken));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-532/sensitive-data-logging