Sending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.
UI5 applications can retrieve logs for further processing using sap/base/Log.getLogEntries, define custom listeners using sap/base/Log.addLogListener or directly display logs using the sap/ui/vk/Notifications control.
This query identifies instances where log entries from user input are forwarded to a remote URL.
Avoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.
The following example demonstrates a vulnerable code snippet:
- The UI5 application logs what the user submitted via the
sap.m.Inputcontrol.
<Input placeholder="Enter Payload"
value="{/input}" /> <!--User input source sap.m.Input.value -->var input = oModel.getProperty("/input");
jQuery.sap.log.debug(input); // user input is logged as is- A second component sends log entries to a remote URL without further validation.
const http = new XMLHttpRequest();
const url = "https://some.remote.server/location";
http.open("POST", url);
http.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL- OWASP: Log Injection.
- OWASP: Log Injection Cheat Sheet.
- SAP UI5 Documentation: namespace
sap/base/Log.