Log injection High

User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.

Detector ID

kotlin/log-injection@v1.0

Category

Security

Common Weakness Enumeration (CWE)

CWE-117

Tags

# data-integrity # injection # owasp-top10

Noncompliant example

1// Noncompliant: Unsanitized user data is being written to the logs
2fun noncompliant(request: ServletRequest) {
3    val xValue = request.getParameter("x")
4    logger.info("Value is: {}", xValue)
5}

Compliant example

1// Compliant: There is no user input being written to the logs.
2fun compliant(input: String) {
3    logger.info("Value is: {}", input)
4}

Q

Detector Library

Kotlin detectors (23/23)

Log injection High

Noncompliant example

Compliant example