python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure
Verifed by r2c
Community Favorite
semgrep
Author
62,817
Download Count*
License
Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.
Run Locally
Run in CI
Defintion
rules:
- id: python-logger-credential-disclosure
patterns:
- pattern: |
$LOGGER_OBJ.$LOGGER_CALL($FORMAT_STRING,...)
- metavariable-regex:
metavariable: $LOGGER_OBJ
regex: (?i)(_logger|logger|self.logger|log)
- metavariable-regex:
metavariable: $LOGGER_CALL
regex: (debug|info|warn|warning|error|exception|critical)
- metavariable-regex:
metavariable: $FORMAT_STRING
regex: (?i).*(api.key|secret|credential|token|password).*\%s.*
message: Detected a python logger call with a potential hardcoded secret
$FORMAT_STRING being logged. This may lead to secret credentials being
exposed. Make sure that the logger is not logging sensitive information.
severity: WARNING
languages:
- python
metadata:
cwe:
- "CWE-532: Insertion of Sensitive Information into Log File"
category: security
technology:
- python
owasp:
- A09:2021 - Security Logging and Monitoring Failures
references:
- https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
Examples
logger-credential-leak.py
import logging
logger = logging.getLogger("some_app")
def some_api_call(foo):
return
def bad1(secret):
# ruleid: python-logger-credential-disclosure
logger.info("here is my secret value: %s",secret)
def bad2(api_key):
try:
some_api_call(api_key)
except:
# ruleid: python-logger-credential-disclosure
logger.error("api call using api key %s failed",api_key)
def ok(api_key):
try:
some_api_call(api_key)
except:
# this is OK
logger.exception("api call failed. Check your API key!")
Short Link: https://sg.run/ydNx