Audit: Unsanitized user input passed to server logs JS-A1004
Sanitize user queries before logging them to console
74 msw: {
75 handlers: {
76 passthrough: http.get(/^\/(?!api|trpc).*$/, (ctx) => {
77 console.log(`MSW Passthrough: ${ctx.request.url}`) 78 passthrough()
79 }),
80 },
Description
Logs serve as important records that are used by monitoring services and developers to investigate incidents. Logging unsanitized user input to the server allows the user to forge custom server logs.
In some more serious scenarios, it opens the application up to attacks like spoofing. The attacker may insert a line break in the request object, and make the second line of their log look like a log from a different user, or an info message displayed by the server.
Bad Practice
import http from "http"
import url from "url"
http.createServer((req, res) => {
const parsedUrl = url.parse(req.url, true)
// Vulnerable! user can inject special characters in the terminal
console.log(parsedUrl.query.username);
})
Recommended
import http from "http"
import url from "url"
http.createServer((req, res) => {
const parsedUrl = url.parse(req.url, true)
// NOTE: Ideally, stronger sanitization functions should be used.
// String#replace is only used as an example.
const username = parsedUrl.query.username.replace(/\n|\r/g, "")
console.log(parsedUrl.username);
})