Skip to main content

Log Injection


Prevent compromising log integrity or system safety by log injection


  • Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
  • Usage of Plug for request handling
  • Usage of Phoenix framework for building web applications
  • Usage of Logger for standard logging


Non compliant code

def handle_post(%{params: %{"user_input" => input}} = conn, _opts) do"User input: #{input}")
# further code

This code is vulnerable because it directly logs user-provided input without sanitizing it. An attacker could inject malicious content into the logs via this input, potentially compromising the integrity of the logs or even the system of the person viewing the logs.


  • Sanitize user inputs before storing them in the log. This can be achieved by encoding special characters or stripping control characters.
  • Avoid using user-provided input directly in logs where possible.
  • Consider the use of structured logging, which can make injection attacks harder.

Compliant code

def handle_post(%{params: %{"user_input" => input}} = conn, _opts) do
sanitized_input = sanitize_input(input)"User input: #{sanitized_input}")
# further code

def sanitize_input(input) do
# Sanitization logic, e.g., escaping special characters

The secure code example sanitizes the user input before logging it, helping prevent log injection attacks. The sanitize_input function would contain the appropriate logic for sanitizing the input, such as stripping control characters or escaping special characters.