Typescript Pino Sensitive Information In Logs
Description
This detector identifies instances where sensitive information may be inadvertently logged using the Pino logging library in TypeScript applications. Logging sensitive data like passwords, tokens, or personal information can lead to information disclosure vulnerabilities if logs are accessed by unauthorized parties or stored insecurely.
Detection Strategy
• Scans TypeScript source code for usage of the Pino logging library
• Identifies logging statements that may contain sensitive data patterns such as passwords, tokens, API keys, or personal identifiable information
• Triggers when Pino logging methods are called with arguments that match sensitive data patterns or variable names commonly associated with confidential information
• Reports vulnerabilities when sensitive information is passed directly to logging functions or when variables with sensitive naming patterns are logged
Vulnerable code example
import pino from 'pino';
const pinoLogger = pino();
const accessToken = "secret-token-123";
pinoLogger.info(accessToken); // Logs sensitive token directly
const apiKey = "api-key-456"; ...✅ Secure code example
import pino from 'pino';
const pinoLogger = pino();
const accessToken = "secret-token-123";
pinoLogger.info("User authenticated successfully"); // Log action without token value
const apiKey = "api-key-456"; ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.