Logs serve as important records that are used by monitoring services and developers to investigate incidents. Logging unsanitized user input to the server allows the user to forge custom server logs.
In some more serious scenarios, it opens the application up to attacks like spoofing. The attacker may insert a line break in the request object, and make the second line of their log look like a log from a different user, or an info message displayed by the server.
import http from "http"
import url from "url"
http.createServer((req, res) => {
const parsedUrl = url.parse(req.url, true)
// Vulnerable! user can inject special characters in the terminal
console.log(parsedUrl.query.username);
})
import http from "http"
import url from "url"
http.createServer((req, res) => {
const parsedUrl = url.parse(req.url, true)
// NOTE: Ideally, stronger sanitization functions should be used.
// String#replace is only used as an example.
const username = parsedUrl.query.username.replace(/\n|\r/g, "")
console.log(parsedUrl.username);
})