BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
📝

Improper Output Neutralization for Logs

🛡️ 4 rules detect this

Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Log injection attacks occur when user input is written to log files without proper sanitization. This can allow attackers to forge log entries, inject malicious content, or exploit log analysis tools.

Prevalence
Medium
3 languages covered
Impact
Medium
Review recommended
Prevention
Documented
4 fix examples
2 Prevention
2 Prevention

How to fix this vulnerability

Prevention strategies for Log Injection based on 4 Shoulder detection rules.

🐹 Go View all Go details →
Log Injection / Log Forging MEDIUM

Strip newlines and control characters from user input before logging

+13 -6 go 
  package main
  
  import (
      "log"
      "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     username := r.URL.Query().Get("user")
-     // Vulnerable: user input logged directly
-     log.Printf("Login attempt for user: %s", username)
+     "strings"
+ )
+ 
+ func sanitizeLogInput(s string) string {
+     s = strings.ReplaceAll(s, "\n", "")
+     s = strings.ReplaceAll(s, "\r", "")
+     return s
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     username := r.URL.Query().Get("user")
+     // Safe: newlines stripped before logging
+     log.Printf("Login attempt for user: %s", sanitizeLogInput(username))
  }
🟨 JavaScript View all JavaScript details →
Log Injection LOW

Strip newline characters from user input before writing to log files

+1 -1 javascript 
  const express = require('express');
  const winston = require('winston');
  const app = express();
  
  app.post('/login', (req, res) => {
-   const username = req.body.username;
+   const username = req.body.username.replace(/[\r\n]/g, '');
    winston.info(`Login attempt: ${username}`);
    res.json({ status: 'ok' });
  });
Log Injection MEDIUM

Sanitize user input by stripping CRLF characters before writing to logs

+4 -2 javascript 
- app.post('/login', (req, res) => {
-   logger.info(`Login attempt from: ${req.body.username}`);
+ const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200);
+ 
+ app.post('/login', (req, res) => {
+   logger.info('Login attempt', { username: sanitize(req.body.username) });
  });
🐍 Python View all Python details →
Log Injection / Log Forging MEDIUM

Use structured logging with separate fields for user data instead of string interpolation

+6 -4 python 
  import logging
  from flask import request
  
- @app.route('/login', methods=['POST'])
- def login():
-     username = request.form.get('username')
-     logging.info(f"Login attempt for user: {username}")
+ logger = logging.getLogger(__name__)
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     username = request.form.get('username', '')
+     logger.info("Login attempt", extra={'username': username})
      return "OK"
4 Warning Signs
4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Improper Output Neutralization for Logs vulnerabilities. Look for these during code reviews and security audits.

🟡
unsanitized user input flowing into log statements, enabling log forging attacks go-log-injection
🟡
user input flowing to logging functions without sanitization javascript-log-injection
🟡
user input flowing directly into log messages without sanitization python-log-injection
🔵
user input flowing to persistent log files without sanitization javascript-log-injection
🔍

Scan your codebase for Improper Output Neutralization for Logs

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules