Leakage of sensitive information in logger message

• Rule ID: javascript_lang_logger
• Languages: javascript
• Source: logger.yml

Description

Sensitive information leakage through logger messages can compromise user privacy and security. This vulnerability occurs when sensitive data, such as personal identifiable information (PII), is included in log messages, making it accessible to unauthorized individuals.

Remediations

• Do not include sensitive data in logger messages. This can lead to unintended exposure of private information.

  logger.info(`User is: ${user.email}`) // unsafe

• Do use non-sensitive, unique identifiers to reference users in log messages. This approach maintains user privacy while still allowing for effective logging.

  logger.info(`User is: ${user.uuid}`)

References

• OWASP Logging Cheat Sheet

Associated CWE

• CWE-532: Insertion of Sensitive Information into Log File

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_logger

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_logger