Skip to content

Log-injection improvements #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mbaluda merged 15 commits into from
Feb 27, 2024
Merged

Log-injection improvements #89

mbaluda merged 15 commits into from
Feb 27, 2024

Conversation

@mbaluda
Copy link
Contributor

@mbaluda mbaluda commented Feb 5, 2024
edited
Loading

  • Model event handler phases before and after.
  • Model and tests for the log-injection example in SAP-samples/cloud-cap-samples.
  • Add query help files.
  • Add query suites files.
  • Bump packages version.

@mbaluda mbaluda requested a review from knewbury01 February 5, 2024 17:40
@mbaluda mbaluda self-assigned this Feb 5, 2024
@mbaluda mbaluda enabled auto-merge February 5, 2024 20:59
@mbaluda mbaluda changed the title Event handler phases Log-injection improvements Feb 7, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 7, 2024
View reviewed changes
knewbury01
knewbury01 reviewed Feb 15, 2024
View reviewed changes
Copy link
Contributor

@knewbury01 knewbury01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mbaluda nice work! just a few small comments/questions at this point

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 22, 2024
View reviewed changes
javascript/frameworks/cap/test/queries/loginjection/loginjection.js

const LOG = cds.log("nodejs");
LOG.info("test" + book);
LOG.info("test" + book); // Log injection alert

Check failure

Code scanning / CodeQL

Uncontrolled data in logging call

Log entry depends on a [user-provided value](1).
javascript/frameworks/cap/test/queries/loginjection/loginjection.js
this.on('format', (req) => {
const cds2 = require ('@sap/cds/lib')
const LOG = cds2.log('cds.log')
const $ = req.data; LOG.info('format:', $) // Log injection alert

Check failure

Code scanning / CodeQL

Uncontrolled data in logging call

Log entry depends on a [user-provided value](1).
knewbury01
knewbury01 requested changes Feb 27, 2024
View reviewed changes
Copy link
Contributor

@knewbury01 knewbury01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only one very tiny change! other than that looks great! @mbaluda

knewbury01
knewbury01 approved these changes Feb 27, 2024
View reviewed changes
Copy link
Contributor

@knewbury01 knewbury01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! :shipit:

@mbaluda mbaluda merged commit 19dd204 into main Feb 27, 2024
@mbaluda mbaluda deleted the mbaluda-cap branch February 27, 2024 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knewbury01 knewbury01 knewbury01 approved these changes

@jeongsoolee09 jeongsoolee09 Awaiting requested review from jeongsoolee09

Assignees

@mbaluda mbaluda

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mbaluda @knewbury01 @jeongsoolee09