Leakage of information in logger message

• Rule ID: javascript_lang_logger_leak
• Languages: javascript
• Source: logger_leak.yml

Description

Information leakage through logger messages can compromise sensitive data. This vulnerability arises when dynamic data or variables, which may contain sensitive information, are included in log messages.

Remediations

• Do not include sensitive data directly in logger messages. This can lead to the exposure of such data in log files, which might be accessible to unauthorized individuals.

  logger.info(`Results: ${data}`) // unsafe

• Do use logging levels appropriately to control the verbosity of log output and minimize the risk of leaking sensitive information in production environments.

Associated CWE

• CWE-532: Insertion of Sensitive Information into Log File

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_logger_leak

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_logger_leak