Dart Log Injection Untrusted Input
Description
Detects log injection vulnerabilities in Dart applications where untrusted user input flows into logging statements. This could allow attackers to inject malicious content into log files, potentially leading to log forging or log injection attacks.
Detection Strategy
• Identifies calls to logging methods (fine, finest, config, info, warning, severe, shout) on logger objects
• Checks if the logging statement contains data that originated from untrusted sources like user input
• Flags logging operations where unvalidated external input is directly written to log files
• Reports a vulnerability when user-controllable data reaches logging functions without proper sanitization
Vulnerable code example
import 'dart:io';
import 'package:logging/logging.dart';
void logUserInput(HttpRequest request) {
final logger = Logger('App');
String userInput = request.uri.queryParameters['data'];
logger.info('User provided: $userInput'); // Vulnerable: Logs raw user input without sanitization
...✅ Secure code example
import 'dart:io';
import 'package:logging/logging.dart';
void logUserInput(HttpRequest request) {
final logger = Logger('App');
// Sanitize user input by removing CRLF to prevent log injection
String userInput = request.uri.queryParameters['data'] ?? '';...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.