Ruby Logger Injection In Rails
Description
This detector identifies Ruby on Rails logger injection vulnerabilities where unsanitized user input is passed to logging methods. When untrusted data flows into logger calls without proper validation or sanitization, attackers can inject malicious content into application logs, potentially leading to log forgery, information disclosure, or other security issues depending on how logs are processed or displayed.
Detection Strategy
• Reports a vulnerability when a Rails logger method (like logger.info, logger.error, etc.) is called with arguments containing unsanitized user input
• The detection requires both conditions to be met: the method call must be identified as a Rails logger sink AND at least one argument must contain user-controlled data that hasn't been properly sanitized
• User input sources typically include HTTP request parameters, form data, URL parameters, cookies, and other external data sources that flow into the logger without validation
Vulnerable code example
class UsersController < ApplicationController
def login
username = params[:username]
Rails.logger.info("Login attempt: #{username}") # Logs untrusted user input
end
def reset
token = request.cookies['reset_token']...✅ Secure code example
class UsersController < ApplicationController
def login
username = params[:username].gsub(/[\r\n]/, '') # Strip CRLF to prevent log injection
Rails.logger.info("Login attempt: #{username}")
end
def reset
token = request.cookies['reset_token'].gsub(/[\r\n]/, '') # Strip CRLF from cookie data...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.