User input has access to log output, which allows manipulation of logged data. This may allow for malicious users to log false information.
1 def log_params_noncompliant
2 init_logger
3
4 unsanitized = params[:foo]
5 # Noncompliant: Unsanitized user-input is used in logger
6 @logger.error "input: " + unsanitized
7 end
1 def log_params_compliant
2 init_logger
3
4 unsanitized = params[:foo]
5
6 sanitized = unsanitized.gsub("\n", "")
7 # Compliant: Sanitized user-input is used in logger
8 @logger.warn "input: " + sanitized
9 end