Need

Prevention of log injection attacks

Context

• Usage of TypeScript for type-checking and compiling JavaScript code
• Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/login', (req, res) => {
  const username = req.query.username;
  const password = req.query.password;

  // Log the user login attempt without sanitizing the inputs
  console.log(`Login attempt: Username - ${username}, Password - ${password}`);

  // Rest of the login logic...
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is log injection. The code logs the user login attempt without properly sanitizing the inputs.

In the /login route handler, the code retrieves the username and password from the query parameters of the request. It then logs the login attempt using a template string in the console.log statement.

However, the code does not validate, sanitize, or escape the input values before logging them. This means that if an attacker provides malicious input, they can inject code or fake inputs into the log entries.

For example, an attacker could provide a username or password value that contains special characters or HTML tags. When these values are logged without proper sanitization, they can potentially compromise the integrity of the logs or even the system of whoever is viewing the logs.

To mitigate this vulnerability, it is recommended to sanitize the inputs before storing them in the log. This can be done by using appropriate sanitization functions or libraries to remove or escape any potentially malicious characters or tags from the input values.

Steps

• Install a library for input sanitization, such as 'sanitize-html' or 'xss'
• Import the library into your code
• Sanitize the 'username' and 'password' inputs before logging them
• Replace the existing console.log statement with a sanitized version

Compliant code

        import express from 'express';
import sanitizeHtml from 'sanitize-html';

const app = express();

app.get('/login', (req, res) => {
  const username = sanitizeHtml(req.query.username);
  const password = sanitizeHtml(req.query.password);

  // Log the sanitized user login attempt
  console.log(`Login attempt: Username - ${username}, Password - ${password}`);

  // Rest of the login logic...
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by properly sanitizing the input before storing it in the log.

First, the code imports the necessary modules, express and sanitize-html.

Then, an Express application is created using express().

A route is defined for the /login endpoint using app.get(). Inside the route handler, the code retrieves the username and password from the request query parameters.

To sanitize the input, the sanitizeHtml function is used to remove any potentially harmful HTML tags or attributes from the input.

The sanitized username and password are then logged to the console using a template string. This ensures that any injected code or fake inputs are not executed or displayed in the logs.

Finally, the server is started and listens on port 3000, and a message is logged to indicate that the server is running.

By sanitizing the input before storing it in the log, the fixed code prevents any injected code or fake inputs from compromising the integrity of the logs or the system.

References

• 091. Log injection