Leakage of information in logger message

• Rule ID: go_lang_logger_leak
• Languages: go
• Source: logger_leak.yml

Description

Information leakage through logger messages can result in data breaches. This vulnerability arises when dynamic data or variables, which may contain sensitive information, are included in log messages.

Remediations

• Do not include variables or dynamic data containing sensitive information in logger messages. This can inadvertently expose sensitive data.

  logger.info(f"User is: '{user.email}'") // unsafe

• Do sanitize or remove sensitive information from data before logging. Ensure that logged information does not contain any personal or confidential data.

Associated CWE

• CWE-532: Insertion of Sensitive Information into Log File

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_logger_leak

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_logger_leak