There are a number of potential attacks involving logs. They can be mitigated through sanitization. Users of the logrus package (and others) can sanitize data before passing it to logrus, but the broad spread of calls into the logging package means sanitization will sometimes be missed.

Compare the verbosity of
logger.Infof("Request %s %v %s\n", method, url.Path, extraReqInfo)
with
logger.Infof("Request %s %v %s\n",sanitize(method), sanitize(url.Path), sanitize(extraReqInfo))

...and consider how many log statements are created during the debugging process.

If sanitization is built into the logging package - for example in the form of a callback function provided as a configuration parameter - then security will be enhanced.

Closing in favor of #1307