Code Injection in Logging Config

The logging.config.listen() function allows you to dynamically change the logging configuration of your application. However, if you set the verify argument to False, you are opening yourself up to a security vulnerability. This is because anyone who can connect to the listening socket can send arbitrary configuration data to your application, which could potentially allow them to execute arbitrary code.

Example

import logging.config


thread = logging.config.listen(port=1111, verify=None)

Remediation

The verify argument should be set to a callable function that should verify whether bytes received on the socket are valid to be processed. One way to verify the data is to use encryption and/or signing.

import logging.config


def validate(recv: bytes):
    return recv


thread = logging.config.listen(verify=validate)

See also

• logging.config — Logging configuration
• CWE-94: Improper Control of Generation of Code

New in version 0.1.0