# Insertion of Sensitive Information into Log File (CWE-532)

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

**Stack:** Go

- Prevalence: 中 覆盖 3 种语言
- Impact: 高 1 条严重级别为高的规则
- Prevention: 已记录 3 个修复示例

**OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9

## Description

When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain.

## Prevention

基于 1 条 Shoulder 检测规则的 Information Exposure Through Logs 预防策略。

### Go

Never log passwords, tokens, or PII; log presence/absence instead

## Consequences

- 读取应用程序数据
- 获取权限

## Mitigations

- 切勿在日志中记录密码或令牌等敏感信息
- 实施日志数据的分类和过滤
- 在记录之前对敏感数据进行掩码或脱敏

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Logging Sensitive Data** [MEDIUM]: Passwords, tokens, or PII logged via log.Printf or similar functions.
  - Remediation: Never log sensitive values. Log presence/absence instead of actual values.

```go
// Log only that API key is configured, not the value
if apiKey != "" {
    log.Println("API key configured")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-532/sensitive-data-logging