# Improper Output Neutralization for Logs (CWE-117)

The product does not neutralize or incorrectly neutralizes output that is written to logs.

- Prevalence: 中 覆盖 3 种语言
- Impact: 中 建议审查
- Prevention: 已记录 4 个修复示例

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Log injection attacks occur when user input is written to log files without proper sanitization. This can allow attackers to forge log entries, inject malicious content, or exploit log analysis tools.

## Prevention

基于 4 条 Shoulder 检测规则的 Log Injection 预防策略。

### Go

Strip newlines and control characters from user input before logging

### JavaScript

Strip newline characters from user input before writing to log files

Sanitize user input by stripping CRLF characters before writing to logs

### Python

Use structured logging with separate fields for user data instead of string interpolation

## Warning Signs

- [MEDIUM] unsanitized user input flowing into log statements, enabling log forging attacks
- [MEDIUM] user input flowing directly into log messages without sanitization
- [LOW] user input flowing to persistent log files without sanitization

## Consequences

- 修改应用程序数据
- 隐藏活动
- 执行未授权代码

## Mitigations

- 在写入日志前,对所有输入进行验证和净化
- 使用将数据与日志语法分离的结构化日志格式
- 将用户可控数据写入日志时,对特殊字符进行编码

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (2 rules)

- **Log Injection** [LOW]: Detects user input flowing to persistent log files without sanitization.
  - Remediation: Sanitize user input by removing newline characters before logging.

```javascript
const safe = userInput.replace(/[\r\n]/g, '');
logger.info(safe);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection
- **Log Injection** [MEDIUM]: Detects user input flowing to persistent log files without sanitization.
  - Remediation: Sanitize user input before logging to prevent log forgery:

```javascript
const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200);
logger.info('Login attempt', { username: sanitize(req.body.username) });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection

### Go (1 rules)

- **Log Injection / Log Forging** [MEDIUM]: Detects unsanitized user input flowing into log statements, enabling log forging attacks.
  - Remediation: Remove newlines and control characters from user input before logging.

```go
sanitized := strings.ReplaceAll(userInput, "\n", "")
sanitized = strings.ReplaceAll(sanitized, "\r", "")
log.Printf("User action: %s", sanitized)
```

Learn more: https://shoulder.dev/learn/go/cwe-117/log-injection

### Typescript (1 rules)

- **Log Injection** [MEDIUM]: Detects user input flowing to persistent log files without sanitization.
  - Remediation: Sanitize user input before logging to prevent log forgery:

```javascript
const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200);
logger.info('Login attempt', { username: sanitize(req.body.username) });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-117/log-injection

### Python (1 rules)

- **Log Injection / Log Forging** [MEDIUM]: Detects user input flowing directly into log messages without sanitization.
  - Remediation: Use structured logging with separate fields for user data.

```python
logging.info("Login attempt", extra={'username': username})
```

Learn more: https://shoulder.dev/learn/python/cwe-117/log-injection