Log Injection in Django with Mutual Tls
Log Injection in Django with Mutual Tls — how this specific combination creates or exposes the vulnerability
Log Injection occurs when an attacker can control or influence data that is written to application or system logs. In Django, this commonly arises through log messages that include unsanitized request data such as headers, query parameters, or usernames. When Mutual TLS (mTLS) is enforced, the client certificate is often inspected and its attributes—such as the Common Name (CN), Organization (O), or Subject Alternative Names (SANs)—are used for authentication and logging. If these certificate fields are directly interpolated into log entries without validation or escaping, they become a vector for log injection.
For example, a developer might log the client distinguished name (DN) to aid in audit trails:
import logging
logger = logging.getLogger(__name__)
def my_view(request):
peer = request.META.get('SSL_CLIENT_S_DN_CN') # mTLS field
logger.info(f'Authenticated user: {peer}')
An attacker with a valid certificate could supply a CN containing newline characters or structured log delimiters (e.g., Alice\n127.0.0.1), causing log forging, log injection, or log injection–based attacks such as log forging or log injection that can obscure other malicious activity. Because mTLS terminates and validates the client certificate before Django processes the request, the certificate fields are treated as trusted input, which increases the risk that developers will skip sanitization.
Additionally, mTLS setups often integrate with centralized logging or Security Information and Event Management (SIEM) systems. If log injection is present, an attacker could manipulate log severity markers, inject structured log syntax (such as JSON key separators), or forge entries that appear to originate from legitimate clients. This complicates detection and incident response. The OWASP API Security Top 10’s Security Logging and Monitoring Failures category captures this class of risk, and real-world patterns resemble CVE-like scenarios where log injection leads to alert suppression or tampering.
Another subtle risk arises when log messages include request-scoped data derived from mTLS attributes combined with user input. Consider a view that logs a failed authentication attempt:
logger.warning('Failed login for dn=%s, username=%s',
request.META.get('SSL_CLIENT_S_DN'),
username)
If the username is sourced from an unescaped query parameter and the DN contains carriage returns, the resulting log line can corrupt the log format, making it difficult to parse and potentially enabling log injection that affects downstream analytics.
Mutual Tls-Specific Remediation in Django — concrete code fixes
To mitigate log injection in a Django application using Mutual TLS, treat all data derived from the TLS handshake—including certificate fields—as untrusted input. Apply canonicalization, strict validation, and safe logging practices.
1. Validate and sanitize certificate-derived fields before logging
Do not directly embed certificate fields in log messages. Instead, normalize them (e.g., restrict to alphanumeric characters and a limited set of punctuation) and enforce length limits:
import logging
import re
logger = logging.getLogger(__name__)
SANITIZE_PATTERN = re.compile(r'[^A-Za-z0-9._-]')
def safe_dn_component(value: str) -> str:
if not value:
return '(missing)'
cleaned = SANITIZE_PATTERN.sub('', value)
return cleaned[:128]
def my_view(request):
peer_raw = request.META.get('SSL_CLIENT_S_DN_CN', '')
peer = safe_dn_component(peer_raw)
logger.info('Authenticated user: %s', peer)
2. Use structured logging with proper escaping
Prefer structured logging (e.g., JSON) and allow the logging framework to handle serialization. This reduces the risk of newline or delimiter injection:
import logging
import json
logger = logging.getLogger(__name__)
class JsonFormatter(logging.Formatter):
def format(self, record):
payload = {
'timestamp': self.formatTime(record),
'level': record.levelname,
'message': record.getMessage(),
'dn_cn': getattr(record, 'dn_cn', None),
}
return json.dumps(payload)
handler = logging.StreamHandler()
handler.setFormatter(JsonFormatter())
logger.addHandler(handler)
def my_view(request):
peer_raw = request.META.get('SSL_CLIENT_S_DN_CN', '')
peer = safe_dn_component(peer_raw)
logger.info('Authenticated user', extra={'dn_cn': peer})
3. Enforce mTLS at the proxy or load balancer and pass verified metadata safely
When using an ingress controller or reverse proxy that handles mTLS, configure it to set vetted headers instead of passing raw certificate fields. In Django, read those headers with validation:
import logging
from django.http import HttpRequest
logger = logging.getLogger(__name__)
def get_verified_peer(request: HttpRequest) -> str:
# Example: X-SSL-CN set by the proxy after mTLS verification
peer = request.META.get('HTTP_X_SSL_CN', '')
return safe_dn_component(peer)
def my_view(request):
peer = get_verified_peer(request)
logger.info('Authenticated user: %s', peer)
4. Comply with framework guidance and monitor logs
Follow Django’s logging configuration best practices and ensure that any third-party logging libraries are configured to escape newlines. Combine this with continuous monitoring rules that detect anomalous log patterns indicative of injection attempts.
By coupling mTLS with disciplined input handling and structured logging, you reduce the attack surface for log injection while preserving the auditability that mTLS provides.