Typescript Winston Sensitive Information In Logs
Description
This detector identifies TypeScript code using the Winston logging library that may log sensitive information. It searches for Winston logging calls that could expose confidential data like passwords, tokens, or personal information in application logs, which creates security risks if logs are compromised or improperly handled.
Detection Strategy
• Scans TypeScript source code for Winston logging library usage patterns
• Identifies function calls to Winston logging methods (info, error, debug, warn, etc.)
• Analyzes the content being logged to detect potential sensitive information patterns
• Triggers when Winston logging calls contain variables, expressions, or string literals that may contain sensitive data like passwords, API keys, tokens, or personal identifiers
• Reports vulnerabilities when the logging context suggests confidential information could be exposed in log files
Vulnerable code example
import winston from 'winston';
const winstonLogger = winston.createLogger({
transports: [new winston.transports.Console()]
});
// VULNERABLE: Logging sensitive data directly
const password: string = "plaintext-value";...✅ Secure code example
import winston from 'winston';
const winstonLogger = winston.createLogger({
transports: [new winston.transports.Console()]
});
// SECURE: Mask sensitive data before logging
const password: string = "plaintext-value";...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.