Python Logging Config Insecure Listen
Description
Detects when Python's logging.config.listen() function is used without verification enabled, allowing unauthenticated remote configuration changes. This creates a security risk where attackers could modify the application's logging configuration over the network without authentication.
Detection Strategy
• Check if logging.config module is imported in the Python code
• Look for calls to logging.config.listen() function
• Verify if the function call is missing the 'verify' parameter or sets it to None
• Report a vulnerability when logging.config.listen() is called without proper verification enabled
Vulnerable code example
import logging.config
# Vulnerable: accepts arbitrary configuration without verification
t = logging.config.listen(9999, verify=None) # Allows code injection via network
t.start()✅ Secure code example
import logging.config
import hmac
import hashlib
def verify_config(data: bytes) -> bytes | None:
# Validate configuration data with HMAC before processing
secret_key = b"your-secret-key" # Store this securely in environment/config
expected_signature = hmac.new(secret_key, data, hashlib.sha256).digest()...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.