Go Unsafe Logger Injection
Description
This vulnerability detector identifies unsafe logger injection in Go applications where user-controlled input is directly passed to logging functions. When user input is logged without proper sanitization, attackers can inject malicious content that may be interpreted by log analysis tools, corrupt log files, or facilitate log-based attacks.
Detection Strategy
• Scans Go source code files that import the 'log' package or use it with an alias
• Identifies calls to standard Go logging methods like log.Print, log.Printf, log.Println, log.Fatal, log.Panic and their variants
• Analyzes arguments passed to these logging functions to determine if they contain user-controlled input
• Reports a vulnerability when user input is directly passed as an argument to any logging function without sanitization
• Triggers on any combination of logging method calls with tainted user input, regardless of the specific logging level or format
Vulnerable code example
package main
import (
"log"
"net/http"
"github.com/gin-gonic/gin"
)
...✅ Secure code example
package main
import (
"log"
"net/http"
"strconv"
"strings"
"github.com/gin-gonic/gin"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.