Skip to content

Commit 2915d6b

Browse files
knewbury01knewbury01
committed
Add sensitive exposure split query
1 parent 881e066 commit 2915d6b

File tree

5 files changed

+87
-0
lines changed

5 files changed

+87
-0
lines changed

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureLikely.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# CAP Insertion of Sensitive Information into Log File
2+
3+
If sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.
4+
5+
Data that may expose system information such as full path names, system information, usernames and passwords should not be logged.
6+
7+
## Recommendation
8+
9+
CAP applications should not log sensitive information.
10+
11+
## Examples
12+
13+
This CAP service directly logs the sensitive information.
14+
15+
``` javascript
16+
import cds from '@sap/cds'
17+
const LOG = cds.log("logger");
18+
19+
class SampleVulnService extends cds.ApplicationService {
20+
init() {
21+
LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
22+
}
23+
}
24+
```
25+
26+
## References
27+
28+
- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).
29+
- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).
30+
- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureLikely.ql

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
/**
2+
* @name Insertion of sensitive information into log files
3+
* @description Writing heuristically sensitive information to log files can allow that
4+
* information to be leaked to an attacker more easily.
5+
* @kind path-problem
6+
* @problem.severity warning
7+
* @security-severity 7.5
8+
* @precision low
9+
* @id js/cap-sensitive-log-likely
10+
* @tags security
11+
* external/cwe/cwe-532
12+
*/
13+
14+
import javascript
15+
import advanced_security.javascript.frameworks.cap.CDS
16+
import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
17+
private import semmle.javascript.security.dataflow.CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
18+
import DataFlow::PathGraph
19+
20+
class SensitiveLogExposureConfig extends TaintTracking::Configuration {
21+
SensitiveLogExposureConfig() { this = "SensitiveLogExposure" }
22+
23+
override predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }
24+
25+
override predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
26+
}
27+
28+
from SensitiveLogExposureConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
29+
where config.hasFlowPath(source, sink)
30+
select sink, source, sink, "This logs sensitive data returned by $@ as clear text.",
31+
source.getNode(), source.getNode().(CleartextLogging::Source).describe()

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-likely.expected

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
WARNING: module 'PathGraph' has been deprecated and may be removed in future (SensitiveExposureLikely.ql:18,8-27)
2+
WARNING: type 'Configuration' has been deprecated and may be removed in future (SensitiveExposureLikely.ql:20,42-70)
3+
WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposureLikely.ql:28,41-59)
4+
WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposureLikely.ql:28,68-86)
5+
nodes
6+
| sensitive-exposure-likely.js:6:18:6:69 | `[INFO] ... .env)}` |
7+
| sensitive-exposure-likely.js:6:18:6:69 | `[INFO] ... .env)}` |
8+
| sensitive-exposure-likely.js:6:41:6:67 | JSON.st ... ss.env) |
9+
| sensitive-exposure-likely.js:6:56:6:66 | process.env |
10+
| sensitive-exposure-likely.js:6:56:6:66 | process.env |
11+
edges
12+
| sensitive-exposure-likely.js:6:41:6:67 | JSON.st ... ss.env) | sensitive-exposure-likely.js:6:18:6:69 | `[INFO] ... .env)}` |
13+
| sensitive-exposure-likely.js:6:41:6:67 | JSON.st ... ss.env) | sensitive-exposure-likely.js:6:18:6:69 | `[INFO] ... .env)}` |
14+
| sensitive-exposure-likely.js:6:56:6:66 | process.env | sensitive-exposure-likely.js:6:41:6:67 | JSON.st ... ss.env) |
15+
| sensitive-exposure-likely.js:6:56:6:66 | process.env | sensitive-exposure-likely.js:6:41:6:67 | JSON.st ... ss.env) |
16+
#select
17+
| sensitive-exposure-likely.js:6:18:6:69 | `[INFO] ... .env)}` | sensitive-exposure-likely.js:6:56:6:66 | process.env | sensitive-exposure-likely.js:6:18:6:69 | `[INFO] ... .env)}` | This logs sensitive data returned by $@ as clear text. | sensitive-exposure-likely.js:6:56:6:66 | process.env | process environment |

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-likely.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
import cds from '@sap/cds'
2+
const LOG = cds.log("logger");
3+
4+
class SampleVulnService extends cds.ApplicationService {
5+
init() {
6+
LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
7+
}
8+
}

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-likely.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
sensitive-exposure/SensitiveExposureLikely.ql

0 commit comments

Comments
 (0)