Insertion of Sensitive Information into Log File (CWE-532)

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

Prevalence

Medium

3 languages covered

Impact

High

1 high-severity rules

Prevention

Documented

3 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Information Exposure Through Logs based on 3 Shoulder detection rules.

🐹 Go View all Go details →

Logging Sensitive Data MEDIUM

Never log passwords, tokens, or PII; log presence/absence instead

+1 -1 go

  func authenticateUser(username, password string) error {
-     log.Printf("Auth: user=%s password=%s", username, password)
+     log.Printf("Auth attempt: user=%s", username)
      return nil
  }

🟨 JavaScript View all JavaScript details →

Sensitive Data Exposure in Logs MEDIUM

Exclude sensitive fields from logged data using destructuring or redaction

+2 -1 javascript

  app.post('/login', (req, res) => {
-   console.log('Login request:', req.body);
+   const { password, ...safeBody } = req.body;
+   logger.info('Login request:', safeBody);
  });

🐍 Python View all Python details →

Sensitive Data in Logging HIGH

Redact sensitive fields before logging; log actions and identifiers, not credentials

+1 -1 python

  import logging
  
  logger = logging.getLogger(__name__)
  
  def login(username, password):
-     logger.info(f"Login: user={username}, password={password}")
+     logger.info(f"Login attempt for user: {username}")
      authenticate(username, password)

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Insertion of Sensitive Information into Log File patterns. 3 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=532

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

🐹 Go 1 rules

Logging Sensitive Data MEDIUM

Passwords, tokens, or PII logged via log.Printf or similar functions.

🟨 Javascript 1 rules

Sensitive Data Exposure in Logs MEDIUM

Detects when user-provided sensitive data (passwords, tokens, API keys, secrets, etc.) flows directly into logging functions without proper redaction or masking. This rule uses taint flow analysis to detect ACTUAL sensitive data being logged, not just variables with sensitive names. Only triggers when: 1. Data originates from user input (req.body, req.headers, etc.) 2. Contains sensitive field names (password, token, secret, etc.) 3. Flows into logging functions without sanitization Sensitive data in logs can lead to: - Credential exposure in log files or monitoring systems - Unauthorized access if logs are compromised - Compliance violations (PCI-DSS, GDPR, HIPAA) - Data breaches through log aggregation systems

🔷 Typescript 1 rules

Sensitive Data Exposure in Logs MEDIUM

🐍 Python 1 rules

Sensitive Data in Logging HIGH

Detects logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credentials. Logged sensitive data can be exposed through log files, monitoring systems, or error tracking services.

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Insertion of Sensitive Information into Log File vulnerabilities. Look for these during code reviews and security audits.

🟠

logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credenti python-sensitive-data-logging

🟡

when user-provided sensitive data (passwords, tokens, API keys, secrets, etc javascript-sensitive-data-logging

🔍

Scan your codebase for Insertion of Sensitive Information into Log File

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules