Log Injection High

User input has access to log output, which allows manipulation of logged data. This may allow for malicious users to log false information.

Detector ID
ruby/log-injection@v1.0
Category
Common Weakness Enumeration (CWE) external icon
Tags
-

Noncompliant example

1  def log_params_noncompliant
2    init_logger
3
4    unsanitized = params[:foo]
5    # Noncompliant: Unsanitized user-input is used in logger
6    @logger.error "input: " + unsanitized 
7  end

Compliant example

1  def log_params_compliant
2    init_logger
3
4    unsanitized = params[:foo]
5
6    sanitized = unsanitized.gsub("\n", "")
7    # Compliant: Sanitized user-input is used in logger
8    @logger.warn "input: " + sanitized 
9  end