igbuend/log-injection-anti-pattern
skills/log-injection-anti-pattern/SKILL.md
Security anti-pattern for log injection vulnerabilities (CWE-117). Use when generating or reviewing code that writes to log files, handles logging of user input, or processes log data. Detects unsanitized data in log messages enabling log forging and CRLF injection.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard log-injection-anti-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:19 PM35.4s1 file scanned
SKILL.md
- name:
- log-injection-anti-pattern
- description:
- Security anti-pattern for log injection vulnerabilities (CWE-117). Use when generating or reviewing code that writes to log files, handles logging of user input, or processes log data. Detects unsanitized data in log messages enabling log forging and CRLF injection.
Log Injection Anti-Pattern
Severity: Medium
Summary
Log injection occurs when attackers write arbitrary data into log files by injecting newlines (\n) and carriage returns (\r) through unsanitized user input. Attackers create fake log entries to hide malicious activity, mislead administrators, and exploit log analysis tools.
The Anti-Pattern
Never log unsanitized user input. Attackers inject newline characters to forge log entries.
BAD Code Example
# VULNERABLE: User input logged directly without sanitization
import logging
logging.basicConfig(filename='app.log', level=logging.INFO, format='%(asctime)s - %(message)s')
def user_login(username, ip_address):
# Attacker provides username with newline character
# Example: "j_smith\nINFO - Successful login for user: admin from IP: 10.0.0.1"
logging.info(f"Failed login attempt for user: {username} from IP: {ip_address}")
# Attacker input:
# username = "j_smith\nINFO - 2023-10-27 10:00:00,000 - Successful login for user: admin"
# ip_address = "192.168.1.100"
# Resulting log file:
#
# 2023-10-27 09:59:59,123 - Failed login attempt for user: j_smith
# INFO - 2023-10-27 10:00:00,000 - Successful login for user: admin from IP: 192.168.1.100
#
# Attacker forged log entry making 'admin' appear logged in,
# covering tracks or triggering false alerts
GOOD Code Example
# SECURE: Sanitize user input before logging or use structured logging
import logging
import json
# Option 1: Sanitize by removing or encoding control characters
def sanitize_for_log(input_string):
return input_string.replace('\n', '_').replace('\r', '_')
def user_login_sanitized(username, ip_address):
safe_username = sanitize_for_log(username)
logging.info(f"Failed login attempt for user: {safe_username} from IP: {ip_address}")
# Option 2 (Better): Use structured logging
# Logging library handles special character escaping automatically
logging.basicConfig(filename='app_structured.log', level=logging.INFO)
def user_login_structured(username, ip_address):
log_data = {
"event": "login_failure",
"username": username, # Newline character escaped by JSON formatter
"ip_address": ip_address
}
logging.info(json.dumps(log_data))
# Resulting log entry is single, valid JSON object:
# {"event": "login_failure", "username": "j_smith\nINFO - ...", "ip_address": "192.168.1.100"}
# Log analysis tools safely parse without being tricked by newline
Detection
- Find unsanitized logging: Grep for user input in log statements:
rg 'logging\.(info|warn|error).*f["\']|logging.*\+.*request\.' --type pyrg 'console\.(log|error).*\$\{|logger.*\+.*req\.' --type jsrg 'logger\.(info|warn).*\+|log\.println.*\+' --type java
- Identify string concatenation in logs: Find unescaped variables:
rg 'log.*%s|log.*\.format|log.*f"' --type py -A 1rg 'log\(.*\+|logger.*template' --type js
- Test with CRLF injection: Input test strings to verify sanitization:
username%0aINFO - Fake log entry(URL-encoded newline)admin\r\nSUCCESS:(direct CRLF)
- Check for structured logging: Verify JSON escaping:
rg 'json\.dumps|JSON\.stringify' | rg 'log'
Prevention
- [ ] Sanitize all user input: Strip or encode newline (
\n), carriage return (\r), and control characters before logging - [ ] Use structured logging (JSON): Libraries automatically escape special characters, preventing log injection
- [ ] Never log sensitive data: Exclude passwords, API keys, or PII
- [ ] Limit log entry length: Prevent disk-filling DoS attacks from enormous log entries
Related Security Patterns & Anti-Patterns
- Cross-Site Scripting (XSS) Anti-Pattern: Unescaped HTML characters in browser-viewed logs enable XSS
- Missing Input Validation Anti-Pattern: Log injection root cause—failure to validate and sanitize user input
References
- OWASP Top 10 A09:2025 - Security Logging and Alerting Failures
- OWASP GenAI LLM01:2025 - Prompt Injection
- OWASP API Security API8:2023 - Security Misconfiguration
- OWASP Logging Cheat Sheet
- CWE-117: Log Injection
- CAPEC-93: Log Injection-Tampering-Forging
- Source: sec-context
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026