If sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.
Data annotated as @PersonalData should not be logged.
CAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.
This CAP service directly logs the sensitive information.
namespace advanced_security.log_exposure.sample_entities;
entity Sample {
name : String(111);
}
// annotations for Data Privacy
annotate Sample with
@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }
{
name @PersonalData.IsPotentiallySensitive;
}import cds from '@sap/cds'
const LOG = cds.log("logger");
const { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')
class SampleVulnService extends cds.ApplicationService {
init() {
LOG.info("Received: ", Sample.name); // CAP log exposure alert
}
}- OWASP 2021: Security Logging and Monitoring Failures.
- OWASP: Logging Cheat Sheet.
- OWASP: User Privacy Protection Cheat Sheet.
- SAP CAPire Documentation: PersonalData Annotations.