Log injection
Need
Prevention of log injection attacks
Context
• Usage of TypeScript for type-checking and compiling JavaScript code
• Usage of Express for building web applications and APIs
Description
1. Non compliant code
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
  const username = req.query.username;
  const password = req.query.password;
  // Log the user login attempt without sanitizing the inputs...The vulnerability in this code is log injection. The code logs the user login attempt without properly sanitizing the inputs. In the `/login` route handler, the code retrieves the `username` and `password` from the query parameters of the request. It then logs the login attempt using a template string in the `console.log` statement. However, the code does not validate, sanitize, or escape the input values before logging them. This means that if an attacker provides malicious input, they can inject code or fake inputs into the log entries. For example, an attacker could provide a username or password value that contains special characters or HTML tags. When these values are logged without proper sanitization, they can potentially compromise the integrity of the logs or even the system of whoever is viewing the logs. To mitigate this vulnerability, it is recommended to sanitize the inputs before storing them in the log. This can be done by using appropriate sanitization functions or libraries to remove or escape any potentially malicious characters or tags from the input values.
2. Steps
• Install a library for input sanitization, such as 'sanitize-html' or 'xss'
• Import the library into your code
• Sanitize the 'username' and 'password' inputs before logging them
• Replace the existing console.log statement with a sanitized version
3. Secure code example
import express from 'express';
import sanitizeHtml from 'sanitize-html';
const app = express();
app.get('/login', (req, res) => {
  const username = sanitizeHtml(req.query.username);
...The fixed code addresses the vulnerability by properly sanitizing the input before storing it in the log. First, the code imports the necessary modules, `express` and `sanitize-html`. Then, an Express application is created using `express()`. A route is defined for the `/login` endpoint using `app.get()`. Inside the route handler, the code retrieves the `username` and `password` from the request query parameters. To sanitize the input, the `sanitizeHtml` function is used to remove any potentially harmful HTML tags or attributes from the input. The sanitized `username` and `password` are then logged to the console using a template string. This ensures that any injected code or fake inputs are not executed or displayed in the logs. Finally, the server is started and listens on port 3000, and a message is logged to indicate that the server is running. By sanitizing the input before storing it in the log, the fixed code prevents any injected code or fake inputs from compromising the integrity of the logs or the system.
References
• 091. Log injection