# Sensitive Data Exposure in Logs

- ID: javascript-sensitive-data-logging
- Severity: MEDIUM
- CWE: Information Exposure Through Logs (CWE-532)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs

## Description

Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.)
flows directly into logging functions without proper redaction or masking.

This rule uses taint flow analysis to detect ACTUAL sensitive data being logged,
not just variables with sensitive names. Only triggers when:
1. Data originates from user input (req.body, req.headers, etc.)
2. Contains sensitive field names (password, token, secret, etc.)
3. Flows into logging functions without sanitization

Sensitive data in logs can lead to:
- Credential exposure in log files or monitoring systems
- Unauthorized access if logs are compromised
- Compliance violations (PCI-DSS, GDPR, HIPAA)
- Data breaches through log aggregation systems

## Detection Message

Untrusted user input containing sensitive data flows from {source} to logging function {sink}.
This can expose credentials, tokens, or personal information in log files.

## Remediation

Exclude sensitive fields from logged data:

```javascript
const { password, ...safeBody } = req.body;
console.log('Request body:', safeBody);

function redactToken(token) {
  return token ? token.substring(0, 4) + '***' : '';
}
logger.info('Token:', redactToken(authToken));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-532/sensitive-data-logging

## Documentation

[object Object]

## Related Rules

- **Logging Sensitive Data** [MEDIUM]: 
- **Sensitive Data in Logging** [HIGH]: