Leakage of information in logger message

Overview

• Rule ID: javascript_lang_logger_leak

• Applicable Languages: Javascript

• Weakness ID: CWE-532

Description

Information leakage through logger messages can expose sensitive data. This vulnerability occurs when dynamic data or variables, potentially containing sensitive information, are included in log messages.

Remediation Guidelines

• Avoid including sensitive data directly in logger messages, as this can result in the exposure of such data in log files that may be accessible to unauthorized individuals. For example, using

  Copy

  logger.info(`Results: ${data}`) // unsafe
  

• Instead, use logging levels appropriately to manage the verbosity of log output and reduce the risk of disclosing sensitive information in production environments.

References

• CWE-532: Insertion of Sensitive Information into Log File

• OWASP Top 10: A09:2021 - Security Logging and Monitoring Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL