Leakage of sensitive information in logger message

• Rule ID: php_lang_logger
• Languages: php
• Source: logger.yml

Description

Sensitive information leakage in logger messages can compromise user privacy and security. This vulnerability occurs when sensitive data, such as personal identifiable information (PII), is included in log messages, making it accessible to unauthorized individuals.

Remediations

• Do not include sensitive data in logger messages. This can lead to unintentional exposure of private information.

  error_log('User is: ' . $user.email);  // unsafe

• Do use non-sensitive, unique identifiers to reference users or other entities in log messages. This approach helps maintain privacy and security.

  error_log('User is: ' . $user.uuid);

References

• OWASP Logging Cheat Sheet

Associated CWE

• CWE-532: Insertion of Sensitive Information into Log File

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_logger

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_logger