Improper Output Neutralization for Logs
The product does not neutralize or incorrectly neutralizes output that is written to logs.
Log injection attacks occur when user input is written to log files without proper sanitization. This can allow attackers to forge log entries, inject malicious content, or exploit log analysis tools.
Como corrigir esta vulnerabilidade
Estratégias de prevenção para Log Injection baseadas em 4 regras de detecção do Shoulder.
Strip newlines and control characters from user input before logging
package main import ( "log" "net/http" - ) - - func handler(w http.ResponseWriter, r *http.Request) { - username := r.URL.Query().Get("user") - // Vulnerable: user input logged directly - log.Printf("Login attempt for user: %s", username) + "strings" + ) + + func sanitizeLogInput(s string) string { + s = strings.ReplaceAll(s, "\n", "") + s = strings.ReplaceAll(s, "\r", "") + return s + } + + func handler(w http.ResponseWriter, r *http.Request) { + username := r.URL.Query().Get("user") + // Safe: newlines stripped before logging + log.Printf("Login attempt for user: %s", sanitizeLogInput(username)) }
Strip newline characters from user input before writing to log files
const express = require('express'); const winston = require('winston'); const app = express(); app.post('/login', (req, res) => { - const username = req.body.username; + const username = req.body.username.replace(/[\r\n]/g, ''); winston.info(`Login attempt: ${username}`); res.json({ status: 'ok' }); });
Sanitize user input by stripping CRLF characters before writing to logs
- app.post('/login', (req, res) => { - logger.info(`Login attempt from: ${req.body.username}`); + const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200); + + app.post('/login', (req, res) => { + logger.info('Login attempt', { username: sanitize(req.body.username) }); });
Use structured logging with separate fields for user data instead of string interpolation
import logging from flask import request - @app.route('/login', methods=['POST']) - def login(): - username = request.form.get('username') - logging.info(f"Login attempt for user: {username}") + logger = logging.getLogger(__name__) + + @app.route('/login', methods=['POST']) + def login(): + username = request.form.get('username', '') + logger.info("Login attempt", extra={'username': username}) return "OK"
Encontre vulnerabilidades no seu código
Use o Shoulder para escanear seu código em busca de padrões Improper Output Neutralization for Logs. 4 regras.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=117 # Or scan entire project npx @shoulderdev/cli trust .
Regras de Detecção (4)
O que observar nas revisões de código
Estes padrões indicam vulnerabilidades potenciais de Improper Output Neutralization for Logs. Procure-os durante revisões de código e auditorias de segurança.
Escaneie seu código para Improper Output Neutralization for Logs
O Shoulder CLI encontra padrões vulneráveis em todo o seu código.