When we updated to the latest version of golangci-lint, and thus received an updated gosec linter, we discovered a lot of flagged log lines. Reading CWE-117, the risk seems to be forging log lines to confuse other systems or humans when reading them.
We use slog for our logging purposes which escapes these values already. So newlines and quotation will be properly escaped and prevent issues with inserting additional log lines or marking more structured logging fields.
Are there any other risks that could be present, or could this be considered a false positive? Example log lines:
pkg/api/handler.go:89:13: G706: Log injection via taint analysis (gosec)
slog.Error("request failed", "err", err, "uri", req.RequestURI)
pkg/api/handler.go:103:12: G706: Log injection via taint analysis (gosec)
slog.Warn("Error getting FS to serve", "err", err, "ext", fileExtension, "path", r.URL.Path)
pkg/api/handler.go:144:12: G706: Log injection via taint analysis (gosec)
slog.Warn("Error getting HLS file info", "err", err, "path", filePath) // Filepath is derived from r.URL.Path
When we updated to the latest version of
golangci-lint, and thus received an updatedgoseclinter, we discovered a lot of flagged log lines. Reading CWE-117, the risk seems to be forging log lines to confuse other systems or humans when reading them.We use
slogfor our logging purposes which escapes these values already. So newlines and quotation will be properly escaped and prevent issues with inserting additional log lines or marking more structured logging fields.Are there any other risks that could be present, or could this be considered a false positive? Example log lines: