python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure

Verifed by r2c

Community Favorite

semgrep

Author

62,817

Download Count*

LGPL Commons Clause

License

Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: python-logger-credential-disclosure
    patterns:
      - pattern: |
          $LOGGER_OBJ.$LOGGER_CALL($FORMAT_STRING,...)
      - metavariable-regex:
          metavariable: $LOGGER_OBJ
          regex: (?i)(_logger|logger|self.logger|log)
      - metavariable-regex:
          metavariable: $LOGGER_CALL
          regex: (debug|info|warn|warning|error|exception|critical)
      - metavariable-regex:
          metavariable: $FORMAT_STRING
          regex: (?i).*(api.key|secret|credential|token|password).*\%s.*
    message: Detected a python logger call with a potential hardcoded secret
      $FORMAT_STRING being logged. This may lead to secret credentials being
      exposed. Make sure that the logger is not logging  sensitive information.
    severity: WARNING
    languages:
      - python
    metadata:
      cwe:
        - "CWE-532: Insertion of Sensitive Information into Log File"
      category: security
      technology:
        - python
      owasp:
        - A09:2021 - Security Logging and Monitoring Failures
      references:
        - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information

Examples

logger-credential-leak.py

import logging

logger = logging.getLogger("some_app")

def some_api_call(foo):
    return

def bad1(secret):
    # ruleid: python-logger-credential-disclosure
    logger.info("here is my secret value: %s",secret)

def bad2(api_key):
    try:
        some_api_call(api_key)
    except:
        # ruleid: python-logger-credential-disclosure
        logger.error("api call using api key %s failed",api_key)

def ok(api_key):
    try:
        some_api_call(api_key)
    except:
        # this is OK
        logger.exception("api call failed.  Check your API key!")

Short Link: https://sg.run/ydNx