Ruby Sensitive Information In Logger
Description
This detector identifies Ruby code that may log sensitive information through logger method calls. When sensitive data (like passwords, tokens, or personal information) is passed to logging functions, it can be inadvertently exposed in log files, creating security risks. This vulnerability can lead to credential theft, privacy violations, and compliance issues.
Detection Strategy
• The Ruby logger library must be imported or available in the analyzed code
• A method call to a standard library logger function (like logger.info, logger.debug, logger.error, etc.) must be present
• The logger method call must contain arguments that appear to contain sensitive information based on variable names, string patterns, or data flow analysis
• The combination of a logger sink with potentially sensitive arguments triggers the vulnerability report
Vulnerable code example
require 'logger'
logger = Logger.new(STDOUT)
# Sensitive variable interpolated into logger message
password = params[:password]
logger.info("Login attempt with #{password}") # VULNERABLE: logs sensitive data
...✅ Secure code example
require 'logger'
logger = Logger.new(STDOUT)
# Sensitive variable filtered before logging
password = params[:password]
logger.info("Login attempt with [FILTERED]") # SAFE: sensitive data redacted
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.