Configuring loggers is security-sensitive. It has led in the past to the following vulnerabilities:
Logs are useful before, during and after a security incident.
Logs are also a target for attackers because they might contain sensitive information. Configuring loggers has an impact on the type of information logged and how they are logged.
This rule flags for review code that initiates loggers configuration. The goal is to guide security code reviews.
There is a risk if you answered yes to any of those questions.
Remember that configuring loggers properly doesn’t make them bullet-proof. Here is a list of recommendations explaining on how to use your logs:
.Net Core: configure programmatically
using System;
using System.Collections;
using System.Collections.Generic;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Microsoft.AspNetCore;
namespace MvcApp
{
public class ProgramLogging
{
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.ConfigureLogging((hostingContext, logging) => // Sensitive
{
// ...
})
.UseStartup<StartupLogging>();
}
public class StartupLogging
{
public void ConfigureServices(IServiceCollection services)
{
services.AddLogging(logging => // Sensitive
{
// ...
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
IConfiguration config = null;
LogLevel level = LogLevel.Critical;
Boolean includeScopes = false;
Func<string,Microsoft.Extensions.Logging.LogLevel,bool> filter = null;
Microsoft.Extensions.Logging.Console.IConsoleLoggerSettings consoleSettings = null;
Microsoft.Extensions.Logging.AzureAppServices.AzureAppServicesDiagnosticsSettings azureSettings = null;
Microsoft.Extensions.Logging.EventLog.EventLogSettings eventLogSettings = null;
// An issue will be raised for each call to an ILoggerFactory extension methods adding loggers.
loggerFactory.AddAzureWebAppDiagnostics(); // Sensitive
loggerFactory.AddAzureWebAppDiagnostics(azureSettings); // Sensitive
loggerFactory.AddConsole(); // Sensitive
loggerFactory.AddConsole(level); // Sensitive
loggerFactory.AddConsole(level, includeScopes); // Sensitive
loggerFactory.AddConsole(filter); // Sensitive
loggerFactory.AddConsole(filter, includeScopes); // Sensitive
loggerFactory.AddConsole(config); // Sensitive
loggerFactory.AddConsole(consoleSettings); // Sensitive
loggerFactory.AddDebug(); // Sensitive
loggerFactory.AddDebug(level); // Sensitive
loggerFactory.AddDebug(filter); // Sensitive
loggerFactory.AddEventLog(); // Sensitive
loggerFactory.AddEventLog(eventLogSettings); // Sensitive
loggerFactory.AddEventLog(level); // Sensitive
loggerFactory.AddEventSourceLogger(); // Sensitive
IEnumerable<ILoggerProvider> providers = null;
LoggerFilterOptions filterOptions1 = null;
IOptionsMonitor<LoggerFilterOptions> filterOptions2 = null;
LoggerFactory factory = new LoggerFactory(); // Sensitive
new LoggerFactory(providers); // Sensitive
new LoggerFactory(providers, filterOptions1); // Sensitive
new LoggerFactory(providers, filterOptions2); // Sensitive
}
}
}
Log4Net
using System;
using System.IO;
using System.Xml;
using log4net.Appender;
using log4net.Config;
using log4net.Repository;
namespace Logging
{
class Log4netLogging
{
void Foo(ILoggerRepository repository, XmlElement element, FileInfo configFile, Uri configUri, Stream configStream,
IAppender appender, params IAppender[] appenders) {
log4net.Config.XmlConfigurator.Configure(repository); // Sensitive
log4net.Config.XmlConfigurator.Configure(repository, element); // Sensitive
log4net.Config.XmlConfigurator.Configure(repository, configFile); // Sensitive
log4net.Config.XmlConfigurator.Configure(repository, configUri); // Sensitive
log4net.Config.XmlConfigurator.Configure(repository, configStream); // Sensitive
log4net.Config.XmlConfigurator.ConfigureAndWatch(repository, configFile); // Sensitive
log4net.Config.DOMConfigurator.Configure(); // Sensitive
log4net.Config.DOMConfigurator.Configure(repository); // Sensitive
log4net.Config.DOMConfigurator.Configure(element); // Sensitive
log4net.Config.DOMConfigurator.Configure(repository, element); // Sensitive
log4net.Config.DOMConfigurator.Configure(configFile); // Sensitive
log4net.Config.DOMConfigurator.Configure(repository, configFile); // Sensitive
log4net.Config.DOMConfigurator.Configure(configStream); // Sensitive
log4net.Config.DOMConfigurator.Configure(repository, configStream); // Sensitive
log4net.Config.DOMConfigurator.ConfigureAndWatch(configFile); // Sensitive
log4net.Config.DOMConfigurator.ConfigureAndWatch(repository, configFile); // Sensitive
log4net.Config.BasicConfigurator.Configure(); // Sensitive
log4net.Config.BasicConfigurator.Configure(appender); // Sensitive
log4net.Config.BasicConfigurator.Configure(appenders); // Sensitive
log4net.Config.BasicConfigurator.Configure(repository); // Sensitive
log4net.Config.BasicConfigurator.Configure(repository, appender); // Sensitive
log4net.Config.BasicConfigurator.Configure(repository, appenders); // Sensitive
}
}
}
NLog: configure programmatically
namespace Logging
{
class NLogLogging
{
void Foo(NLog.Config.LoggingConfiguration config) {
NLog.LogManager.Configuration = config; // Sensitive, this changes the logging configuration.
}
}
}
Serilog
namespace Logging
{
class SerilogLogging
{
void Foo() {
new Serilog.LoggerConfiguration(); // Sensitive
}
}
}