Improper Privilege Management in delgan/loguru

Valid

Reported on

Jan 11th 2022


BUG

unprivileged user can see log file and sensitive information disclosed

SUMMURY

loguru create log file to store the log . Log may contain many sentsitive information like username,password,token,key etc .
So, this log file should not accessed by other user .
But when loguru create log file then file permission is -rw-rw-r-- 1 user user 345 Jan 11 14:47 combined.log which can be access by any user.
In linux system there may be many user with different privileged . but any user can see this log file .

STEP TO RERPODUCE

run bellow code

from loguru import logger
data="Data to be logged , password123 is incorrect" #sensitive data logging
logger.add("combined.log") #creating log file with insecure permission
logger.info(data)

Now a combined.log file will be created with all log information . check file permission

user@user-xx:~$ ls -lh combined.log
-rw-rw-r-- 1 user user 345 Jan 11 14:47 combined.log

So, this file has read permission for all system user . Thus any user can read this log file .I see mostly all webserver , logger etc log there info in a file and it is only accessed by current user who created the file . But in this case it has read permission for all user .

SUGGESTED FIX

You should change the logfile permision to be access only by current user who crated the file or sudo user .

We are processing your report and will contact the delgan/loguru team within 24 hours. 4 months ago
We have contacted a member of the delgan/loguru team and are waiting to hear back 4 months ago
delgan
4 months ago

Maintainer


Hi.

Loguru uses the same default permissions as any other Python logging library (especially the standard one).

However, one can easily configure Loguru to use the preferred file permissions:

def opener(file, flags):
    return os.open(file, flags, 0o600)

logger.add("combined.log", opener=opener)

Loguru is perfectly secure to use. I'll add a word in the documentation about that.

ranjit-git
4 months ago

Researcher


Thanks for reply. Can you plz change the report status by validating it.

ranjit-git
4 months ago

Researcher


def opener(file, flags):
    return os.open(file, flags, 0o600)

logger.add("combined.log", opener=opener

Don't know that there is handler for changing the permission. But default permission 600 would be better because most of users don't change the file permission manually. Thanks again

We have sent a follow up to the delgan/loguru team. We will try again in 7 days. 4 months ago
delgan
4 months ago

Maintainer


Hi @ranjit-git.

I'm not sure I should validate the security report, because that would acknowledge that Loguru contains CWE-269 weakness, right?

This is an issue qualified as "High Severity" yet we both agreed that Loguru does not contain such issue per se. I'm afraid it will confuse the user into thinking that Loguru is not secure.

Can the severity be somehow lowered?

ranjit-git modified the report
4 months ago
ranjit-git
4 months ago

Researcher


@maintainer I just lowered the severity to 5.4 . Is this ok?

ranjit-git modified the report
4 months ago
ranjit-git
4 months ago

Researcher


Sorry it's 4.3 severity now

ranjit-git
4 months ago

Researcher


Hi @maintainer any update?

delgan validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
delgan
4 months ago

Maintainer


Sorry for the delay and thanks for lowering the severity. ;)

delgan confirmed that a fix has been merged on ea3937 4 months ago
The fix bounty has been dropped
_file_sink.py#L16-L372 has been validated
_logger.py#L75-L1900 has been validated
to join this conversation