AgentSkillsCN

log-injection-anti-pattern

防范日志注入漏洞的安全反模式(CWE-117)。在生成或审查向日志文件写入数据、处理用户输入的日志记录,或对日志数据进行分析时,应格外警惕。该反模式能够检测出未经净化的日志消息,从而防止日志伪造与 CRLF 注入攻击。

SKILL.md
--- frontmatter
name: "log-injection-anti-pattern"
description: "Security anti-pattern for log injection vulnerabilities (CWE-117). Use when generating or reviewing code that writes to log files, handles logging of user input, or processes log data. Detects unsanitized data in log messages enabling log forging and CRLF injection."

Log Injection Anti-Pattern

Severity: Medium

Summary

Log injection occurs when attackers write arbitrary data into log files by injecting newlines (\n) and carriage returns (\r) through unsanitized user input. Attackers create fake log entries to hide malicious activity, mislead administrators, and exploit log analysis tools.

The Anti-Pattern

Never log unsanitized user input. Attackers inject newline characters to forge log entries.

BAD Code Example

python
# VULNERABLE: User input logged directly without sanitization
import logging

logging.basicConfig(filename='app.log', level=logging.INFO, format='%(asctime)s - %(message)s')

def user_login(username, ip_address):
    # Attacker provides username with newline character
    # Example: "j_smith\nINFO - Successful login for user: admin from IP: 10.0.0.1"
    logging.info(f"Failed login attempt for user: {username} from IP: {ip_address}")

# Attacker input:
# username = "j_smith\nINFO - 2023-10-27 10:00:00,000 - Successful login for user: admin"
# ip_address = "192.168.1.100"

# Resulting log file:
#
# 2023-10-27 09:59:59,123 - Failed login attempt for user: j_smith
# INFO - 2023-10-27 10:00:00,000 - Successful login for user: admin from IP: 192.168.1.100
#
# Attacker forged log entry making 'admin' appear logged in,
# covering tracks or triggering false alerts

GOOD Code Example

python
# SECURE: Sanitize user input before logging or use structured logging
import logging
import json

# Option 1: Sanitize by removing or encoding control characters
def sanitize_for_log(input_string):
    return input_string.replace('\n', '_').replace('\r', '_')

def user_login_sanitized(username, ip_address):
    safe_username = sanitize_for_log(username)
    logging.info(f"Failed login attempt for user: {safe_username} from IP: {ip_address}")


# Option 2 (Better): Use structured logging
# Logging library handles special character escaping automatically
logging.basicConfig(filename='app_structured.log', level=logging.INFO)

def user_login_structured(username, ip_address):
    log_data = {
        "event": "login_failure",
        "username": username, # Newline character escaped by JSON formatter
        "ip_address": ip_address
    }
    logging.info(json.dumps(log_data))

# Resulting log entry is single, valid JSON object:
# {"event": "login_failure", "username": "j_smith\nINFO - ...", "ip_address": "192.168.1.100"}
# Log analysis tools safely parse without being tricked by newline

Detection

  • Find unsanitized logging: Grep for user input in log statements:
    • rg 'logging\.(info|warn|error).*f["\']|logging.*\+.*request\.' --type py
    • rg 'console\.(log|error).*\$\{|logger.*\+.*req\.' --type js
    • rg 'logger\.(info|warn).*\+|log\.println.*\+' --type java
  • Identify string concatenation in logs: Find unescaped variables:
    • rg 'log.*%s|log.*\.format|log.*f"' --type py -A 1
    • rg 'log\(.*\+|logger.*template' --type js
  • Test with CRLF injection: Input test strings to verify sanitization:
    • username%0aINFO - Fake log entry (URL-encoded newline)
    • admin\r\nSUCCESS: (direct CRLF)
  • Check for structured logging: Verify JSON escaping:
    • rg 'json\.dumps|JSON\.stringify' | rg 'log'

Prevention

  • Sanitize all user input: Strip or encode newline (\n), carriage return (\r), and control characters before logging
  • Use structured logging (JSON): Libraries automatically escape special characters, preventing log injection
  • Never log sensitive data: Exclude passwords, API keys, or PII
  • Limit log entry length: Prevent disk-filling DoS attacks from enormous log entries

Related Security Patterns & Anti-Patterns

References