logging — insecure listen config

Code Injection in Logging Config

The logging.config.listen() function allows you to dynamically change the logging configuration of your application. However, if you set the verify argument to False, you are opening yourself up to a security vulnerability. This is because anyone who can connect to the listening socket can send arbitrary configuration data to your application, which could potentially allow them to execute arbitrary code.

Example

insecure_listen_config_port_verify_none.py
import logging.config


thread = logging.config.listen(port=1111, verify=None)

Example Output

> precli tests/unit/rules/python/stdlib/logging/examples/insecure_listen_config_port_verify_none.py
⚠️  Warning on line 4 in tests/unit/rules/python/stdlib/logging/examples/insecure_listen_config_port_verify_none.py
PY010: Improper Control of Generation of Code ('Code Injection')
Using 'logging.config.listen' with unset 'verify' vulnerable to code injection.

Remediation

The verify argument should be set to a callable function that should verify whether bytes received on the socket are valid to be processed. One way to verify the data is to use encryption and/or signing.

insecure_listen_config_port_verify_none.py
import logging.config

def validate(recv: bytes):
    return recv

thread = logging.config.listen(verify=validate)

Default Configuration

enabled = true
level = "warning"