← 返回首页
Clear-text logging of sensitive information — CodeQL query help documentation CodeQL docs
CodeQL documentation
CodeQL resources

Clear-text logging of sensitive information

ID: rb/clear-text-logging-sensitive-data Kind: path-problem Security severity: 7.5 Severity: error Precision: high Tags: - security - external/cwe/cwe-312 - external/cwe/cwe-359 - external/cwe/cwe-532 Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls

Click to see the query in the CodeQL repository

Sensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.

Recommendation

Ensure that sensitive information is always encrypted before being stored.

In general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.

Be aware that external processes often store the standard out and standard error streams of the application, causing logged sensitive information to be stored as well.

Example

The following example code logs user credentials (in this case, their password) to standard out in plaintext:

require 'Logger' class UserSession @@logger = Logger.new STDOUT def login(username, password) # ... @@logger.info "login with password: #{password})" end end

Instead, the credentials should be masked or redacted before logging:

require 'Logger' class UserSession @@logger = Logger.new STDOUT def login(username, password) # ... password_escaped = password.sub(/.*/, "[redacted]") @@logger.info "login with password: #{password_escaped})" end end

References