Leakage of sensitive information in logger message

• Rule ID: ruby_lang_logger
• Languages: ruby
• Source: logger.yml

Description

Sensitive information leakage in logger messages can compromise user privacy and security. This vulnerability occurs when sensitive data, such as personal identifiable information (PII), is included in log messages, making it accessible to unauthorized individuals.

Remediations

• Do not include sensitive data in logger messages. This can lead to unintended exposure of personal or confidential information.

  logger.info('User is: #{user.email}') # unsafe

• Do use non-sensitive, unique identifiers to reference users or other entities in log messages. This approach maintains privacy while still allowing for effective logging.

  logger.info('User is: #{user.uuid}')

References

• OWASP Logging Cheat Sheet

Associated CWE

• CWE-532: Insertion of Sensitive Information into Log File

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_logger

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_logger