Improper Neutralization of Equivalent Special Elements in delgan/loguru

Valid

Reported on

Jan 27th 2022


Description

Loguru is vulnerable to log injection on all logging methods as it is possible to inject newlines ("\n") which will create a new log entry in the logfile. This can lead to attackers tampering with logs and a loss of integrity of the log files as a result

Proof of Concept

from loguru import logger

username = "Josh just logged in\n2022-01-24 22:39:30.976 | INFO     | __main__:<module>:5 - User James"
logger.add("inject.log")
logger.info("User " + username + " just logged in.")

Result:

2022-01-24 22:39:26.190 | INFO     | __main__:<module>:5 - User Josh just logged in
2022-01-24 22:39:30.976 | INFO     | __main__:<module>:5 - User James just logged in.

Impact

Users can inject logs into loguru via newlines. This affects logger.trace, logger.debug, logger.info, logger.success, logger.warning, logger.error, logger.critical, logger.exception, logger.log functions (9 functions in total).

Recommended Fix

Escape special characters (such as \n and \r) by default. As a comparison, other logging frameworks such as PHP's Monolog do this by default.

We are processing your report and will contact the delgan/loguru team within 24 hours. 4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
We have contacted a member of the delgan/loguru team and are waiting to hear back 4 months ago
delgan validated this vulnerability 4 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
delgan confirmed that a fix has been merged on bc1dab 4 months ago
The fix bounty has been dropped
_logger.py#L1963L1964 has been validated
_logger.py#L1959L1960 has been validated
_logger.py#L1992L1994 has been validated
to join this conversation