Protect against log injections


#1

Is it possible to protect client logs from “log injections” from the end users? Let’s say I’m using Chrome Dev Tools and type throw new Error("I'm evil...");

That would end up in my server logs even though it’s not from my original js-code.


#2

whitelist_urls would help, but at a certain point we can’t prevent people from sending data. has this been a problem for you?


#3

No, not yet - I’m just trying to do a threat analysis, as it opens up a way to get weird stuff into logs (not produced by the application itself)…

It seems using the the dev tools console does not send data, even without whitelisting. On the other hand, anyone could you curl or whatever to send correctly formatted “errors” to the collecting endpoint, right? Could possibly be handled by CSRF tokens, Access-Control-Allow-Origin etc, but as you point out - there will always be a way to fake all this, I guess.


#4

There’s never going to be a way to prevent users from doing it. If you did see the problem you can add the IP address of the client to the blocklist in your project settings.