Leakage of sensitive information to standard output stream

• Rule ID: java_lang_standard_output
• Languages: java
• Source: standard_output.yml

Description

Exposing sensitive information in a standard output stream can compromise user privacy and security. This vulnerability occurs when Personally Identifiable Information (PII) or other confidential data is printed to standard output, making it potentially accessible to unauthorized individuals.

Remediations

• Do not print sensitive data to standard output. This can lead to unintended exposure of user information.

  System.out.println(user.email) // unsafe

• Do use non-sensitive, unique identifiers like UUIDs to refer to users or entities in standard output, instead of printing sensitive data

  System.out.println(user.uuid)

• Do use static messages that do not contain dynamic variables or user attributes. This reduces the risk of accidental information disclosure.

  System.out.println("user signed in")

References

• OWASP Logging Cheat Sheet

Associated CWE

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_standard_output

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_standard_output