Metastatic.Analysis.BusinessLogic.SensitiveDataExposure
(Metastatic v0.10.4)
View Source
Detects exposure of sensitive information to unauthorized actors (CWE-200).
This analyzer identifies code patterns where sensitive data such as passwords, tokens, secrets, or PII is logged, returned in responses, or otherwise exposed.
Cross-Language Applicability
Sensitive data exposure is a universal security concern:
- Elixir:
Logger.info("User: #{inspect(user)}")# May include password_hash - Python:
logging.info(f"Request: {request.__dict__}") - JavaScript:
console.log("User data:", userData) - Ruby:
Rails.logger.info(user.attributes) - Java:
logger.info("User: " + user.toString()) - C#:
_logger.LogInformation($"User: {user}") - Go:
log.Printf("User: %+v", user)
Problem
When sensitive data is logged or exposed:
- Passwords/tokens may be stored in plain text in logs
- PII may be accessible to unauthorized personnel
- Compliance violations (GDPR, HIPAA, PCI-DSS)
- Credential leakage through error messages
Detection Strategy
Detects patterns where:
- Logging functions receive objects/maps that may contain sensitive fields
- Variables with sensitive names are logged
- Inspect/toString calls on user or credential objects
- Error responses include detailed internal information
Examples
Bad (Elixir)
def create(conn, params) do
Logger.info("Creating user with params: #{inspect(params)}")
# params may contain password!
endGood (Elixir)
def create(conn, params) do
Logger.info("Creating user: #{params["email"]}")
# Only log non-sensitive fields
end