logo

Database

Python Starlette Sensitive Data Logging

Description

Detects when sensitive data from Starlette web framework (like request parameters, headers, or session data) is passed to logging functions. This creates a security risk where sensitive user information could be exposed through application logs.

Weakness:

059 - Sensitive information stored in logs

Category: Information Collection

Detection Strategy

    Check if both 'logging' and 'starlette' modules are imported in the code

    Identify logging function calls (like logging.info, logging.debug, etc.)

    Check if any arguments to these logging calls contain data from Starlette's request context

    Report a vulnerability if sensitive Starlette data is found in logging statements

Vulnerable code example

import logging
from starlette.requests import Request

async def vulnerable_handler(request: Request):
    password = request.query_params.get("password")
    # VULNERABLE: Logging sensitive password data from user input
    logging.info("Login attempt with password: %s", password)

✅ Secure code example

import logging
import hashlib
from starlette.requests import Request

async def secure_handler(request: Request):
    password = request.query_params.get("password")
    # SAFE: Only log authentication attempt without exposing sensitive data
    logging.info("Login attempt received")...