239
240 This configuration is overwritten if running under Gunicorn.
241 """
242 logging.config.dictConfig({243 'version': 1,
244 'formatters': {
245 'default': {
This issue higlights code that initiates loggers configuration. This should be audited to make sure no sensitive information is being logged.
Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue in attention. Please take a look at the Audit Checklist
mentioned later in the description.
If the occurrences doesn't seem to be valid, please feel free to ignore them.
The configuration determines the type of information logged and how it is logged. Logs might contain sensitive information which can be used by malicious users. But they should contain sufficient information to understand the damage an attacker might have inflicted.
Audit Checklist: Make sure these points are taken care of:
debug
mode.import logging
import os
from logging.config import fileConfig, dictConfig
logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
fileConfig(fname='file.conf', disable_existing_loggers=False) # Disabling the loggers.
dictConfig(config) # Configuring a logger shoud be audited.
logging.disable() # Disabling the logger.
class SomeLogger(logging.Logger): # A custom logger implementation shoud be audited
...
def set_logger_class(logger_class):
logging.setLoggerClass(logger_class) # A custom logger implementation shoud be audited
def set_logging_last_resort(last_resort):
logging.lastResort = last_resort # Hints the absence of any logging configuration. It is recommended to set up logging properly.