Untrusted user input is logged without sanitization

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

ID: swift-security/log-injection

Language: Unknown

Severity: Warning

Category: Security

CWE: 117

Description

The application logs data that appears to originate from an untrusted source, such as a user-editable text field or a web view, without proper neutralization. This can lead to a log injection vulnerability.

An attacker could insert fake log entries, corrupt the log format, or inject malicious content (e.g., stored XSS payloads) that could be executed by a log viewing application. This manipulation can be used to cover tracks, mislead administrators, or attack other systems that consume the logs.

To mitigate this vulnerability, all untrusted input should be validated and sanitized before being written to logs. Specifically, newline characters (\r\n) and other control characters should be removed or escaped to prevent log entry forgery.

Non-Compliant Code Examples

import UIKit
import WebKit
import os.log

class UserProfileViewController: UIViewController, WKNavigationDelegate {

    var nicknameField: UITextField!
    var webView: WKWebView!

    func webView(_ webView: WKWebView, decidePolicyFor navigationAction: WKNavigationAction, decisionHandler: @escaping (WKNavigationActionPolicy) -> Void) {
        if let url = navigationAction.request.url {
            // --- VULNERABLE ---
            // The 'query' part of a URL can contain malicious input.
            print("Processing navigation action with query: \(url.query ?? "none")")
        }
        decisionHandler(.allow)
    }
}

Compliant Code Examples

import UIKit
import WebKit
import os.log

class UserProfileViewController: UIViewController, WKNavigationDelegate {

    var nicknameField: UITextField!
    var webView: WKWebView!

    // A helper function to sanitize strings before logging.
    // It removes characters that could be used to forge log entries.
    private func sanitizeForLogging(_ input: String) -> String {
        return input.replacingOccurrences(of: "\r", with: "")
                    .replacingOccurrences(of: "\n", with: "")
    }

    func webView(_ webView: WKWebView, decidePolicyFor navigationAction: WKNavigationAction, decisionHandler: @escaping (WKNavigationActionPolicy) -> Void) {
        if let url = navigationAction.request.url, let query = url.query {
             // --- FIXED ---
            // The query string is sanitized before being logged.
            let sanitizedQuery = sanitizeForLogging(query)
            print("Processing navigation action with sanitized query: \(sanitizedQuery)")
        }
        decisionHandler(.allow)
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

シームレスな統合。 Datadog Code Security をお試しください

Datadog Code Security