# Insertion of Sensitive Information into Log File (CWE-532)

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

- Prevalence: Medium 3 languages covered
- Impact: High 1 high-severity rules
- Prevention: Documented 3 fix examples

**OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9

## Description

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

## Prevention

Prevention strategies for Information Exposure Through Logs based on 3 Shoulder detection rules.

### Go

Never log passwords, tokens, or PII; log presence/absence instead

### Node.js

Exclude sensitive fields from logged data using destructuring or redaction

### Python

Redact sensitive fields before logging; log actions and identifiers, not credentials

## Warning Signs

- [HIGH] logging of sensitive data like passwords, API keys, tokens, credit
cards, or authentication credenti
- [MEDIUM] when user-provided sensitive data (passwords, tokens, API keys, secrets, etc

## Consequences

- Read Application Data
- Gain Privileges

## Mitigations

- Never log sensitive information such as passwords or tokens
- Implement log data classification and filtering
- Mask or redact sensitive data before logging

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Logging Sensitive Data** [MEDIUM]: Passwords, tokens, or PII logged via log.Printf or similar functions.
  - Remediation: Never log sensitive values. Log presence/absence instead of actual values.

```go
// Log only that API key is configured, not the value
if apiKey != "" {
    log.Println("API key configured")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-532/sensitive-data-logging

### Javascript (1 rules)

- **Sensitive Data Exposure in Logs** [MEDIUM]: Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.)
flows directly into logging functions without proper redaction or masking.

This rule uses taint flow analysis to detect ACTUAL sensitive data being logged,
not just variables with sensitive names. Only triggers when:
1. Data originates from user input (req.body, req.headers, etc.)
2. Contains sensitive field names (password, token, secret, etc.)
3. Flows into logging functions without sanitization

Sensitive data in logs can lead to:
- Credential exposure in log files or monitoring systems
- Unauthorized access if logs are compromised
- Compliance violations (PCI-DSS, GDPR, HIPAA)
- Data breaches through log aggregation systems
  - Remediation: Exclude sensitive fields from logged data:

```javascript
const { password, ...safeBody } = req.body;
console.log('Request body:', safeBody);

function redactToken(token) {
  return token ? token.substring(0, 4) + '***' : '';
}
logger.info('Token:', redactToken(authToken));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-532/sensitive-data-logging

### Typescript (1 rules)

- **Sensitive Data Exposure in Logs** [MEDIUM]: Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.)
flows directly into logging functions without proper redaction or masking.

This rule uses taint flow analysis to detect ACTUAL sensitive data being logged,
not just variables with sensitive names. Only triggers when:
1. Data originates from user input (req.body, req.headers, etc.)
2. Contains sensitive field names (password, token, secret, etc.)
3. Flows into logging functions without sanitization

Sensitive data in logs can lead to:
- Credential exposure in log files or monitoring systems
- Unauthorized access if logs are compromised
- Compliance violations (PCI-DSS, GDPR, HIPAA)
- Data breaches through log aggregation systems
  - Remediation: Exclude sensitive fields from logged data:

```javascript
const { password, ...safeBody } = req.body;
console.log('Request body:', safeBody);

function redactToken(token) {
  return token ? token.substring(0, 4) + '***' : '';
}
logger.info('Token:', redactToken(authToken));
```

Learn more: https://shoulder.dev/learn/javascript/cwe-532/sensitive-data-logging

### Python (1 rules)

- **Sensitive Data in Logging** [HIGH]: Detects logging of sensitive data like passwords, API keys, tokens, credit
cards, or authentication credentials. Logged sensitive data can be exposed
through log files, monitoring systems, or error tracking services.
  - Remediation: Redact sensitive fields before logging; log actions and usernames, not credentials.

```python
import logging

logger = logging.getLogger(__name__)

SENSITIVE = {'password', 'token', 'api_key', 'secret'}

def sanitize(data):
    return {k: '***' if k in SENSITIVE else v for k, v in data.items()}

def login(username, password):
    logger.info(f"Login attempt for: {username}")  # Log username, not password
    authenticate(username, password)
```

Learn more: https://shoulder.dev/learn/python/cwe-532/sensitive-data-logging