AWS logo
Amazon QDetector Library

Log injection High

User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.

Detector ID
python/log-injection@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def logging_noncompliant():
2    filename = input("Enter a filename: ")
3    # Noncompliant: unsanitized input is logged.
4    logger.info("Processing %s", filename)

Compliant example

1def logging_compliant():
2    filename = input("Enter a filename: ")
3    if filename.isalnum():
4        # Compliant: input is validated before logging.
5        logger.info("Processing %s", filename)