Recommendation¶

User input should be suitably sanitized before it is logged.

If the log entries are in plain text, then line breaks should be removed from user input usingString::replace or similar. Care should also be taken that user input is clearly marked in log entries.

For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.

Example¶

In the first example, a username, provided by the user via command line arguments, is logged using thelog crate. If a malicious user providesGuest\n[INFO]User:Admin\n as a username parameter, the log entry will be split into multiple lines, where the second line will appear as[INFO]User:Admin, potentially forging a legitimate admin login entry.

usestd::env;uselog::info;fnmain(){env_logger::init();// Get username from command line argumentsletargs:Vec<String>=env::args().collect();letusername=args.get(1).unwrap_or(&String::from("Guest")).clone();// BAD: log message constructed with unsanitized user inputinfo!("User login attempt: {}",username);}

In the second example,String::replace is used to ensure no line endings are present in the user input before logging.

usestd::env;uselog::info;fnsanitize_for_logging(input:&str)->String{// Remove newlines and carriage returns to prevent log injectioninput.replace('\n',"").replace('\r',"")}fnmain(){env_logger::init();// Get username from command line argumentsletargs:Vec<String>=env::args().collect();letusername=args.get(1).unwrap_or(&String::from("Guest")).clone();// GOOD: log message constructed with sanitized user inputletsanitized_username=sanitize_for_logging(username.as_str());info!("User login attempt: {}",sanitized_username);}

References¶

• OWASP:Log Injection.

• Common Weakness Enumeration:CWE-117.