Scala Logging Of Sensitive Data
Description
Detects when sensitive or confidential information is written to application logs using SLF4J logging framework in Scala code. This could lead to exposure of sensitive data through log files, which may be accessible to unauthorized personnel or stored in insecure locations.
Detection Strategy
• Checks if the SLF4J logging library (org.slf4j) is imported in the code
• Identifies logging method calls like logger.info(), logger.debug(), etc.
• Analyzes the arguments passed to logging methods to check if they contain sensitive data like passwords, tokens or PII
• Reports a vulnerability when sensitive data is found in logging statement arguments
Vulnerable code example
import org.springframework.web.bind.annotation._
import org.slf4j.LoggerFactory
@RestController
class UserController {
private val logger = LoggerFactory.getLogger(classOf[UserController])
@GetMapping(Array("/api/login"))...✅ Secure code example
import org.springframework.web.bind.annotation._
import org.slf4j.LoggerFactory
@RestController
class UserController {
private val logger = LoggerFactory.getLogger(classOf[UserController])
@GetMapping(Array("/api/login"))...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.