Log Injection in Django
How Log Injection Manifests in Django
Log injection in Django occurs when untrusted user input is directly written to log files without proper sanitization, enabling attackers to manipulate log content and potentially compromise systems that parse these logs. Django's logging framework, while robust, can be vulnerable when developers fail to validate or escape log messages containing user-supplied data.
The most common Django-specific attack pattern involves request data injection. Consider a Django view that logs user actions:
def update_profile(request):
user = request.user
data = request.POST
logger.info(f"User {user.username} updated profile with data: {data}")
# ... processing logic
An attacker can submit form data containing newline characters and crafted log messages:
POST /update-profile/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
bio=New%20bio%0AERROR%20Something%20critical%20happened%0AUser%20admin%20logged%20out%0A
location=Somewhere
This injects multiple log entries, potentially triggering alerts, hiding malicious activity, or causing log parsers to malfunction. The log file might contain:
[INFO] User alice updated profile with data: {'bio': 'New bio
ERROR Something critical happened
User admin logged out
', 'location': 'Somewhere'}
Another Django-specific manifestation occurs in exception logging. Django's default logging configuration captures full exception traces, including user input:
try:
user_profile = UserProfile.objects.get(user=request.user)
except UserProfile.DoesNotExist:
logger.error(f"Profile not found for user: {request.user.username}")
raise
If an attacker crafts their username with special characters or log injection payloads, these appear in error logs, potentially triggering security alerts or masking actual errors.
Middleware logging presents another vulnerability. Django middleware often logs request information:
class RequestLoggingMiddleware:
def process_request(self, request):
logger.debug(f"Request from {request.META['REMOTE_ADDR']}: {request.path}")
Attackers can manipulate headers like X-Forwarded-For or User-Agent to inject malicious content into logs.
Database query logging in Django can also be exploited. When DEBUG=True, Django logs all SQL queries, which may include user input:
def search_products(request):
query = request.GET.get('q', '')
products = Product.objects.filter(name__icontains=query)
# DEBUG logging shows: SELECT * FROM products WHERE name ILIKE '%user_input%'
If the search query contains newline characters or crafted payloads, these appear in SQL logs, potentially confusing log analysis systems.
Django-Specific Detection
Detecting log injection in Django requires both manual code review and automated scanning. middleBrick's API security scanner includes specific checks for log injection vulnerabilities in Django applications.
middleBrick scans Django applications by analyzing request/response patterns and identifying logging statements that handle user input. The scanner looks for:
- Direct interpolation of request data into log messages using f-strings or .format()
- Logging of POST data, query parameters, or headers without sanitization
- Exception logging that includes user context information
- Middleware that logs request metadata
- Database query logging with user input
- Custom logging configurations that may be vulnerable
The scanner tests for log injection by sending payloads containing newline characters, log levels, and crafted messages to various endpoints, then analyzing the resulting log output for injection success.
For manual detection in Django codebases, search for these patterns:
grep -r "logger\.\|logging\." . --include="*.py" | grep -E "(request\.|request\.|POST|GET|headers|META)"
This finds logging statements that reference request objects. Review each instance to ensure proper sanitization.
Django's logging configuration can also reveal vulnerabilities. Check settings.py for:
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'console': {
'class': 'logging.StreamHandler',
},
'file': {
'class': 'logging.FileHandler',
'filename': '/var/log/django/app.log',
},
},
'loggers': {
'django': {
'handlers': ['console', 'file'],
'level': 'DEBUG' if DEBUG else 'INFO',
},
},
}
Ensure DEBUG logging is disabled in production, as it logs more sensitive information including SQL queries with user input.
middleBrick's CLI tool can scan Django applications directly:
npm install -g middlebrick
middlebrick scan https://your-django-app.com
The scanner provides a security score and specific findings with remediation guidance for any log injection vulnerabilities discovered.
Django-Specific Remediation
Remediating log injection in Django requires sanitizing user input before logging and using safe logging practices. Here are Django-specific solutions:
First, use Django's built-in logging utilities that provide safer string formatting:
import logging
logger = logging.getLogger(__name__)
def update_profile(request):
user = request.user
data = request.POST.copy() # Create mutable copy
# Sanitize data before logging
for key in data:
if '\n' in data[key]:
data[key] = data[key].replace('\n', ' ')
# Use structured logging with placeholders
logger.info('User %s updated profile with data: %s', user.username, data)
Django's logging framework supports structured logging, which separates data from formatting:
from django.utils.log import logging
logger.info('User profile update', extra={'username': user.username, 'data': dict(data)})
This approach prevents injection by treating user data as structured information rather than interpolated strings.
For request logging in middleware, sanitize inputs:
class SafeRequestLoggingMiddleware:
def process_request(self, request):
# Sanitize headers and other user-controlled data
safe_headers = dict(request.META)
for key in safe_headers:
if isinstance(safe_headers[key], str) and '\n' in safe_headers[key]:
safe_headers[key] = safe_headers[key].replace('\n', ' ')
logger.debug('Request from %s: %s',
request.META.get('REMOTE_ADDR'),
request.path,
extra={'headers': safe_headers})
Create a utility function for safe logging:
def safe_log(message, *args):
sanitized_args = []
for arg in args:
if isinstance(arg, str) and '\n' in arg:
sanitized_args.append(arg.replace('\n', ' '))
else:
sanitized_args.append(arg)
logger.info(message, *sanitized_args)
Use this throughout your Django application to ensure consistent sanitization.
For exception logging, avoid including user input in error messages:
try:
user_profile = UserProfile.objects.get(user=request.user)
except UserProfile.DoesNotExist:
logger.error('Profile lookup failed for user ID: %s', request.user.id)
raise
Log user identifiers instead of usernames or other user-controlled data.
Configure Django to use structured logging in settings.py:
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'formatters': {
'json': {
'()': 'pythonjsonlogger.jsonlogger.JsonFormatter',
},
},
'handlers': {
'console': {
'class': 'logging.StreamHandler',
'formatter': 'json',
},
},
'loggers': {
'django': {
'handlers': ['console'],
'level': 'INFO',
},
},
}
Structured JSON logging makes it harder to inject malicious content and easier to parse logs securely.
Add log injection checks to your Django test suite:
from unittest.mock import patch
import logging
def test_log_injection_protection(self):
with patch('logging.Logger.info') as mock_logger:
malicious_data = 'bio=New%20bio%0AERROR%20Test%0A'
# Call your view with malicious data
response = self.client.post('/update-profile/', {'bio': malicious_data})
# Verify logger was called with sanitized data
mock_logger.assert_called()
call_args = mock_logger.call_args[0][1]
self.assertNotIn('\n', call_args.get('bio', ''))
This ensures your logging remains secure as code evolves.