Insertion of Sensitive Information into Log File (CWE-532)

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

보급률

보통

3개 언어 지원

영향

높음

1개의 높은 심각도 규칙

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

3개의 Shoulder 탐지 규칙을 기반으로 한 Information Exposure Through Logs 예방 전략.

🐹 Go 모두 보기 Go 자세히 →

Logging Sensitive Data MEDIUM

Never log passwords, tokens, or PII; log presence/absence instead

+1 -1 go

  func authenticateUser(username, password string) error {
-     log.Printf("Auth: user=%s password=%s", username, password)
+     log.Printf("Auth attempt: user=%s", username)
      return nil
  }

🟨 JavaScript 모두 보기 JavaScript 자세히 →

Sensitive Data Exposure in Logs MEDIUM

Exclude sensitive fields from logged data using destructuring or redaction

+2 -1 javascript

  app.post('/login', (req, res) => {
-   console.log('Login request:', req.body);
+   const { password, ...safeBody } = req.body;
+   logger.info('Login request:', safeBody);
  });

🐍 Python 모두 보기 Python 자세히 →

Sensitive Data in Logging HIGH

Redact sensitive fields before logging; log actions and identifiers, not credentials

+1 -1 python

  import logging
  
  logger = logging.getLogger(__name__)
  
  def login(username, password):
-     logger.info(f"Login: user={username}, password={password}")
+     logger.info(f"Login attempt for user: {username}")
      authenticate(username, password)

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Insertion of Sensitive Information into Log File 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=532

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

🐹 Go 1 rules

Logging Sensitive Data MEDIUM

Passwords, tokens, or PII logged via log.Printf or similar functions.

🟨 Javascript 1 rules

Sensitive Data Exposure in Logs MEDIUM

Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.) flows directly into logging functions without proper redaction or masking. This rule uses taint flow analysis to detect ACTUAL sensitive data being logged, not just variables with sensitive names. Only triggers when: 1. Data originates from user input (req.body, req.headers, etc.) 2. Contains sensitive field names (password, token, secret, etc.) 3. Flows into logging functions without sanitization Sensitive

🔷 Typescript 1 rules

Sensitive Data Exposure in Logs MEDIUM

🐍 Python 1 rules

Sensitive Data in Logging HIGH

Detects logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credentials. Logged sensitive data can be exposed through log files, monitoring systems, or error tracking services.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Insertion of Sensitive Information into Log File 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credenti python-sensitive-data-logging

🟡

when user-provided sensitive data (passwords, tokens, API keys, secrets, etc javascript-sensitive-data-logging

🔍

코드베이스를 스캔하세요: Insertion of Sensitive Information into Log File

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기