logo

Database

Typescript Pino Log Forging

Description

Detects when unsanitized user-controlled input is written into Pino log messages in TypeScript applications. Without proper sanitization, attackers can inject newline characters or forged log entries into the log stream, misleading security monitoring systems and hiding malicious activity.

Weakness:

091 - Log injection

Category: System Manipulation

Detection Strategy

    Identifies calls to Pino logger methods (info, error, warn, debug, fatal, trace, log)

    Resolves the logger instance back to its definition to confirm it was created via pino()

    Inspects the arguments passed to the log call for symbols, element accesses, or member accesses that originate from HTTP request data

    Reports a vulnerability when user-controlled input reaches a Pino log method without sanitization or validation

Vulnerable code example

import express, { Request, Response } from 'express';
import pino from 'pino';

const app = express();
const logger = pino();

app.get('/search', (req: Request, res: Response) => {
  const query = req.query.q as string;...

✅ Secure code example

import express, { Request, Response } from 'express';
import pino from 'pino';

const app = express();
const logger = pino();

app.get('/search', (req: Request, res: Response) => {
  const query = req.query.q as string;...