Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.input-validation

Sanitize user-controlled values before they reach log messages

Logger calls in pino, winston, bunyan, and consola should not interpolate or concatenate request input directly into the message text.

#Metadata

Rule ID
ts.security.log-injection
Severity
medium
Confidence
0.85
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
input-validation, logging, rules-catalog, security

#Why it matters

Unsanitized request data in log messages enables CRLF injection, control-character smuggling, and downstream log-parser confusion. Wrapping the value with a structured field, JSON encoder, or CRLF-stripping replace neutralizes the vector.

#Remediation

Pass request data as a structured field, JSON-encode it, or strip CRLF and control characters before concatenating it into the log message.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.log-injection.rule.yaml.

Back to directoryOpen rule in repository