Typescript Bunyan Sensitive Information In Logs
Description
This detector identifies instances where sensitive information may be logged using the Bunyan logging library in TypeScript applications. Logging sensitive data like passwords, API keys, or personal information can expose confidential information in log files, creating security risks if logs are compromised or accessed by unauthorized parties.
Detection Strategy
• Scans TypeScript source code for Bunyan logger method calls (log.info(), log.debug(), log.warn(), etc.)
• Analyzes the arguments passed to Bunyan logging methods to identify potentially sensitive data
• Flags logging statements that may contain sensitive information such as passwords, tokens, API keys, or personal data
• Reports vulnerabilities when Bunyan logging calls are found that could expose confidential information to log files
Vulnerable code example
import bunyan from 'bunyan';
const logger = bunyan.createLogger({ name: 'app' });
const apiKey = "sk-1234567890abcdef";
logger.info("API Key: " + apiKey); // Sensitive data logged via concatenation
const userPassword = "mySecretPass123";...✅ Secure code example
import bunyan from 'bunyan';
const logger = bunyan.createLogger({ name: 'app' });
const apiKey = "sk-1234567890abcdef";
logger.info("API Key: " + maskSensitive(apiKey)); // Mask sensitive data before logging
const userPassword = "mySecretPass123";...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.