Access to user-controlled UI5 Logs

Processing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.

UI5 applications can retrieve logs for further processing using sap/base/Log.getLogEntries, define custom listeners using sap/base/Log.addLogListener or directly display logs using the sap/ui/vk/Notifications control.

This query identifies instances where user-controlled log entries are accessed in a UI5 application.

Recommendation

Avoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.

Example

The following example demonstrates a vulnerable code snippet:

The UI5 application logs what the user submitted via the sap.m.Input control.

<Input placeholder="Enter Payload" 
    value="{/input}" />  <!--User input source sap.m.Input.value -->

var input = oModel.getProperty("/input");
jQuery.sap.log.debug(input);  // user input is logged as is

A second component retrieves log entries to further process them.

let message = Log.getLogEntries()[0].message; //access to user controlled logs
do_smth(message);

References

OWASP: Log Injection.
OWASP: Log Injection Cheat Sheet.
SAP UI5 Documentation: namespace sap/base/Log.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Access to user-controlled UI5 Logs

Recommendation

Example

References

FilesExpand file tree

UI5UnsafeLogAccess.md

Latest commit

History

UI5UnsafeLogAccess.md

File metadata and controls

Access to user-controlled UI5 Logs

Recommendation

Example

References