Improper Neutralization of Equivalent Special Elements in delgan/loguru
Jan 27th 2022
Loguru is vulnerable to log injection on all logging methods as it is possible to inject newlines ("\n") which will create a new log entry in the logfile. This can lead to attackers tampering with logs and a loss of integrity of the log files as a result
Proof of Concept
from loguru import logger username = "Josh just logged in\n2022-01-24 22:39:30.976 | INFO | __main__:<module>:5 - User James" logger.add("inject.log") logger.info("User " + username + " just logged in.")
2022-01-24 22:39:26.190 | INFO | __main__:<module>:5 - User Josh just logged in 2022-01-24 22:39:30.976 | INFO | __main__:<module>:5 - User James just logged in.
Users can inject logs into loguru via newlines. This affects logger.trace, logger.debug, logger.info, logger.success, logger.warning, logger.error, logger.critical, logger.exception, logger.log functions (9 functions in total).
Escape special characters (such as \n and \r) by default. As a comparison, other logging frameworks such as PHP's Monolog do this by default.