SEC-2001
security
config_error
ai_generated
true
OAuth2 client secret exposed in application log: sensitive credentials written to log file
ID: security/oauth2-client-secret-exposed-in-log
88%Fix Rate
86%Confidence
1Evidence
2024-03-01First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Spring Boot 3.1 | active | — | — | — |
| Log4j 2.20 | active | — | — | — |
| Python logging 0.5 | active | — | — | — |
| Node.js Winston 3.11 | active | — | — | — |
Root Cause
The OAuth2 client secret was inadvertently logged as part of a request or configuration dump, exposing the credential to anyone with access to log files.
generic中文
OAuth2客户端密钥作为请求或配置转储的一部分被无意中记录,将凭据暴露给任何有权访问日志文件的人。
Official Documentation
https://logging.apache.org/log4j/2.x/manual/filters.htmlWorkarounds
-
85% success Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: `<RegexFilter regex=".*client_secret=[^&]+" onMatch="DENY" onMismatch="NEUTRAL"/>`
Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: `<RegexFilter regex=".*client_secret=[^&]+" onMatch="DENY" onMismatch="NEUTRAL"/>`
-
90% success Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value("${client.secret}")` and avoid printing it.
Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value("${client.secret}")` and avoid printing it.
中文步骤
Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: `<RegexFilter regex=".*client_secret=[^&]+" onMatch="DENY" onMismatch="NEUTRAL"/>`
Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value("${client.secret}")` and avoid printing it.
Dead Ends
Common approaches that don't work:
-
60% fail
Simply rotating the secret without fixing the logging configuration means the new secret will also be logged, perpetuating the exposure.
-
35% fail
Adding the secret to a log filter but only for one log level (e.g., ERROR) still exposes it if the application logs at that level, and doesn't cover all loggers.
-
25% fail
Some try to mask the secret in logs by truncating it, but if the full secret appears elsewhere (e.g., in a stack trace), the truncation is ineffective.