python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
62,817
Download Count*

Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.

Run Locally

Run in CI

Defintion

rules:
  - id: python-logger-credential-disclosure
    patterns:
      - pattern: |
          $LOGGER_OBJ.$LOGGER_CALL($FORMAT_STRING,...)
      - metavariable-regex:
          metavariable: $LOGGER_OBJ
          regex: (?i)(_logger|logger|self.logger|log)
      - metavariable-regex:
          metavariable: $LOGGER_CALL
          regex: (debug|info|warn|warning|error|exception|critical)
      - metavariable-regex:
          metavariable: $FORMAT_STRING
          regex: (?i).*(api.key|secret|credential|token|password).*\%s.*
    message: Detected a python logger call with a potential hardcoded secret
      $FORMAT_STRING being logged. This may lead to secret credentials being
      exposed. Make sure that the logger is not logging  sensitive information.
    severity: WARNING
    languages:
      - python
    metadata:
      cwe:
        - "CWE-532: Insertion of Sensitive Information into Log File"
      category: security
      technology:
        - python
      owasp:
        - A09:2021 - Security Logging and Monitoring Failures
      references:
        - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

logger-credential-leak.py

import logging

logger = logging.getLogger("some_app")

def some_api_call(foo):
    return

def bad1(secret):
    # ruleid: python-logger-credential-disclosure
    logger.info("here is my secret value: %s",secret)

def bad2(api_key):
    try:
        some_api_call(api_key)
    except:
        # ruleid: python-logger-credential-disclosure
        logger.error("api call using api key %s failed",api_key)

def ok(api_key):
    try:
        some_api_call(api_key)
    except:
        # this is OK
        logger.exception("api call failed.  Check your API key!")