测试版 Shoulder 目前处于测试阶段 — 结果有时可能不正确。您的反馈塑造我们接下来要修复的内容。 分享反馈
📋

Insertion of Sensitive Information into Log File

🛡️ 3 条规则检测到此问题

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

普遍性
覆盖 3 种语言
影响
1 条严重级别为高的规则
预防
已记录
3 个修复示例
2 预防
2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 Information Exposure Through Logs 预防策略。

Logging Sensitive Data MEDIUM

Never log passwords, tokens, or PII; log presence/absence instead

+1 -1 go
  func authenticateUser(username, password string) error {
-     log.Printf("Auth: user=%s password=%s", username, password)
+     log.Printf("Auth attempt: user=%s", username)
      return nil
  }
  
Sensitive Data Exposure in Logs MEDIUM

Exclude sensitive fields from logged data using destructuring or redaction

+2 -1 javascript
  app.post('/login', (req, res) => {
-   console.log('Login request:', req.body);
+   const { password, ...safeBody } = req.body;
+   logger.info('Login request:', safeBody);
  });
  
Sensitive Data in Logging HIGH

Redact sensitive fields before logging; log actions and identifiers, not credentials

+1 -1 python
  import logging
  
  logger = logging.getLogger(__name__)
  
  def login(username, password):
-     logger.info(f"Login: user={username}, password={password}")
+     logger.info(f"Login attempt for user: {username}")
      authenticate(username, password)
  
3 检测
3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Insertion of Sensitive Information into Log File模式。 3 规则.

终端
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=532

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

4 警告信号
4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Insertion of Sensitive Information into Log File漏洞。在代码审查和安全审计中注意查找。

🟠
logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credenti python-sensitive-data-logging
🟡
when user-provided sensitive data (passwords, tokens, API keys, secrets, etc javascript-sensitive-data-logging
🔍

扫描你的代码库: Insertion of Sensitive Information into Log File

Shoulder CLI 在整个代码库中找到易受攻击的模式。