Insertion of Sensitive Information into Log File (CWE-532)

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

Prevalência

Média

3 linguagens cobertas

Impacto

Alto

1 regras de severidade alta

Prevenção

Documentada

3 exemplos de correção

2 Prevenção

Como corrigir esta vulnerabilidade

Estratégias de prevenção para Information Exposure Through Logs baseadas em 3 regras de detecção do Shoulder.

🐹 Go Ver tudo Go detalhes →

Logging Sensitive Data MEDIUM

Never log passwords, tokens, or PII; log presence/absence instead

+1 -1 go

  func authenticateUser(username, password string) error {
-     log.Printf("Auth: user=%s password=%s", username, password)
+     log.Printf("Auth attempt: user=%s", username)
      return nil
  }

🟨 JavaScript Ver tudo JavaScript detalhes →

Sensitive Data Exposure in Logs MEDIUM

Exclude sensitive fields from logged data using destructuring or redaction

+2 -1 javascript

  app.post('/login', (req, res) => {
-   console.log('Login request:', req.body);
+   const { password, ...safeBody } = req.body;
+   logger.info('Login request:', safeBody);
  });

🐍 Python Ver tudo Python detalhes →

Sensitive Data in Logging HIGH

Redact sensitive fields before logging; log actions and identifiers, not credentials

+1 -1 python

  import logging
  
  logger = logging.getLogger(__name__)
  
  def login(username, password):
-     logger.info(f"Login: user={username}, password={password}")
+     logger.info(f"Login attempt for user: {username}")
      authenticate(username, password)

3 Detecção

Encontre vulnerabilidades no seu código

Use o Shoulder para escanear seu código em busca de padrões Insertion of Sensitive Information into Log File. 3 regras.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=532

# Or scan entire project
npx @shoulderdev/cli trust .

Regras de Detecção (3)

🐹 Go 1 rules

Logging Sensitive Data MEDIUM

Passwords, tokens, or PII logged via log.Printf or similar functions.

🟨 Javascript 1 rules

Sensitive Data Exposure in Logs MEDIUM

Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.) flows directly into logging functions without proper redaction or masking. This rule uses taint flow analysis to detect ACTUAL sensitive data being logged, not just variables with sensitive names. Only triggers when: 1. Data originates from user input (req.body, req.headers, etc.) 2. Contains sensitive field names (password, token, secret, etc.) 3. Flows into logging functions without sanitization Sensitive

🔷 Typescript 1 rules

Sensitive Data Exposure in Logs MEDIUM

🐍 Python 1 rules

Sensitive Data in Logging HIGH

Detects logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credentials. Logged sensitive data can be exposed through log files, monitoring systems, or error tracking services.

4 Sinais de Alerta

O que observar nas revisões de código

Estes padrões indicam vulnerabilidades potenciais de Insertion of Sensitive Information into Log File. Procure-os durante revisões de código e auditorias de segurança.

🟠

logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credenti python-sensitive-data-logging

🟡

when user-provided sensitive data (passwords, tokens, API keys, secrets, etc javascript-sensitive-data-logging

🔍

Escaneie seu código para Insertion of Sensitive Information into Log File

O Shoulder CLI encontra padrões vulneráveis em todo o seu código.

npx shoulder trust Ver todas as regras