advanced-security · knewbury01 · Jul 23, 2025 · Aug 1, 2025 · Aug 1, 2025 · jeongsoolee09
diff --git a/...cript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.md b/...cript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.md
@@ -0,0 +1,30 @@
+# CAP Insertion of Sensitive Information into Log File
+
+If sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.
+
+Data that may expose system information such as full path names, system information, usernames and passwords should not be logged.
+
+## Recommendation
+
+CAP applications should not log sensitive information.
+
+## Examples
+
+This CAP service directly logs the sensitive information.
+
+``` javascript
+import cds from '@sap/cds'
+const LOG = cds.log("logger");
+
+class SampleVulnService extends cds.ApplicationService {
+    init() {
+        LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
+    }
+}
+```
+
+## References
+
+- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).
+- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).
+- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).
diff --git a/javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.ql b/javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.ql
@@ -0,0 +1,31 @@
+/**
+ * @name Insertion of sensitive information into log files
+ * @description Writing heuristically sensitive information to log files can allow that
+ *              information to be leaked to an attacker more easily.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision low
+ * @id js/cap-sensitive-log-heurisitic-source
+ * @tags security
+ *       external/cwe/cwe-532
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.cap.CDS
+import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
+private import semmle.javascript.security.dataflow.CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
+import DataFlow::PathGraph
+
+class SensitiveLogExposureConfig extends TaintTracking::Configuration {
+  SensitiveLogExposureConfig() { this = "SensitiveLogExposure" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
+}
+
+from SensitiveLogExposureConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink, source, sink, "This logs sensitive data returned by $@ as clear text.",
+  source.getNode(), source.getNode().(CleartextLogging::Source).describe()
diff --git a/...ive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.expected b/...ive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.expected
@@ -0,0 +1,17 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (SensitiveExposureHeuristicSource.ql:18,8-27)
+WARNING: type 'Configuration' has been deprecated and may be removed in future (SensitiveExposureHeuristicSource.ql:20,42-70)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposureHeuristicSource.ql:28,41-59)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposureHeuristicSource.ql:28,68-86)
+nodes
+| sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` |
+| sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` |
+| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) |
+| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env |
+| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env |
+edges
+| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` |
+| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` |
+| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) |
+| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) |
+#select
+| sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | This logs sensitive data returned by $@ as clear text. | sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | process environment |
diff --git a/...sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js b/...sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js
@@ -0,0 +1,8 @@
+import cds from '@sap/cds'
+const LOG = cds.log("logger");
+
+class SampleVulnService extends cds.ApplicationService {
+    init() {
+        LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
+    }
+}
diff --git a/...sitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.qlref b/...sitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.qlref
@@ -0,0 +1 @@
+sensitive-exposure/SensitiveExposureHeuristicSource.ql
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		sensitive-exposure/SensitiveExposureHeuristicSource.ql