Audit: Unsanitized user input passed to server logs JS-A1004

[Ajay-Dhangar]

DESCRIPTION

Logs serve as important records that are used by monitoring services and developers to investigate incidents. Logging unsanitized user input to the server allows the user to forge custom server logs.

In some more serious scenarios, it opens the application up to attacks like spoofing. The attacker may insert a line break in the request object, and make the second line of their log look like a log from a different user or an info message displayed by the server.

BAD PRACTICE

import http from "http"
import url from "url"

http.createServer((req, res) => {
  const parsedUrl = url.parse(req.url, true)
  // Vulnerable! user can inject special characters in the terminal
  console.log(parsedUrl.query.username);
})

RECOMMENDED

import http from "http"
import url from "url"

http.createServer((req, res) => {
  const parsedUrl = url.parse(req.url, true)

  // NOTE: Ideally, stronger sanitization functions should be used.
  // String#replace is only used as an example.
  const username = parsedUrl.query.username.replace(/\n|\r/g, "")
  console.log(parsedUrl.username);
})

Sanitize user queries before logging them into the console

src/pages/contact/index.tsx

      email:formValues.email,
      message:formValues.message
    })
    console.log(response.data);

    setFormValues({
      fullName: "",

[github-actions[bot]]

Hi @Ajay-Dhangar! Thanks for opening this issue. We appreciate your contribution to this open-source project. Your input is valuable and we aim to respond or assign your issue as soon as possible. Thanks again!

[github-actions[bot]]

Hello @Ajay-Dhangar! Your issue #3270 has been closed. Thank you for your contribution!