Leakage of sensitive information in logger message

• Rule ID: java_lang_logger
• Languages: java
• Source: logger.yml

Description

Sensitive information leakage in logger messages can compromise user privacy and security. This vulnerability occurs when sensitive data, such as personal identifiable information (PII), is included in log messages, making it accessible to unauthorized individuals.

Remediations

• Do not include sensitive data in logger messages. This can lead to unintended exposure of personal or confidential information.

  logger.info(user.email) // unsafe

• Do use non-sensitive, unique identifiers to refer to users or entities in log messages. This approach maintains privacy while still allowing for effective logging.

  logger.info(user.uuid)

• Do log static messages that do not contain dynamic variables or attributes. This minimizes the risk of accidentally logging sensitive information.

  logger.info("user signed in")

References

• OWASP Logging Cheat Sheet

Associated CWE

• CWE-532: Insertion of Sensitive Information into Log File

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_logger

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_logger