Javascript Bunyan Sensitive Information In Logs

Description

This detector identifies when sensitive information is being logged using the Bunyan logging library in JavaScript applications. Logging sensitive data like passwords, tokens, or personal information can expose confidential information in log files, creating security risks if logs are accessed by unauthorized parties.

Weakness:

059 - Sensitive information stored in logs

Category: Information Collection

Detection Strategy

• Analyzes JavaScript code that uses the Bunyan logging library

• Scans for logging statements that may contain sensitive information patterns

• Triggers when Bunyan log methods are called with parameters that could contain confidential data

• Reports vulnerabilities when sensitive data types are being written to application logs

Vulnerable code example

const bunyan = require('bunyan');

const bunyanLogger = bunyan.createLogger({ name: 'app' });

const password = "plaintext-password";
bunyanLogger.info(password); // Logs sensitive data directly

✅ Secure code example

const bunyan = require('bunyan');

const bunyanLogger = bunyan.createLogger({ name: 'app' });

const password = "plaintext-password";
bunyanLogger.info(hash(password)); // Hash sensitive data before logging

function hash(value) { return `hashed_${value}`; }

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.