Leakage of sensitive information in logger message

• Rule ID: php_third_parties_logger
• Languages: php
• Source: logger.yml

Description

Leaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches.

Remediations

• Do not include sensitive data in logger messages.

  $log->info('User is: ' . $user.email) // unsafe

• Do use unique identifiers from the database (instead of personal identifiable information) if you really need to identify users.

  log->info('User is: ' . $user.uuid)

Resources

• OWASP logging cheat sheet

Associated CWE

• CWE-532: Insertion of Sensitive Information into Log File

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_third_parties_logger

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_third_parties_logger