Description

Loguru is vulnerable to log injection on all logging methods as it is possible to inject newlines ("\n") which will create a new log entry in the logfile. This can lead to attackers tampering with logs and a loss of integrity of the log files as a result

Proof of Concept

from loguru import logger

username = "Josh just logged in\n2022-01-24 22:39:30.976 | INFO     | __main__:<module>:5 - User James"
logger.add("inject.log")
logger.info("User " + username + " just logged in.")

Result:

2022-01-24 22:39:26.190 | INFO     | __main__:<module>:5 - User Josh just logged in
2022-01-24 22:39:30.976 | INFO     | __main__:<module>:5 - User James just logged in.

Impact

Users can inject logs into loguru via newlines. This affects logger.trace, logger.debug, logger.info, logger.success, logger.warning, logger.error, logger.critical, logger.exception, logger.log functions (9 functions in total).

Recommended Fix

Escape special characters (such as \n and \r) by default. As a comparison, other logging frameworks such as PHP's Monolog do this by default.