fix(logging): sanitization if literal values contain parentheses (#210)

schwma · web-flow · commit 90a4d6e6ee84 · 2025-09-03T16:37:00.000+02:00
Example query:

```gql
query MyQuery {
  AdminService {
    Books(filter: {title: {contains: ") foo"}}) {
      nodes {
        ID
      }
    }
  }
}
```

Previous log output (in production):

```gql
[graphql] - POST { operationName: 'MyQuery' } 
query MyQuery {
  AdminService {
    Books( *** ) foo"}}) {
      nodes {
        ID
      }
    }
  }
}
```

New log output (in production):

```gql
[graphql] - POST { operationName: 'MyQuery' } 
 query MyQuery {
  AdminService {
    Books(filter: "***") {
      nodes {
        ID
      }
    }
  }
}
```
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Sanitization of logged queries, when running in production, if literal values contain parentheses
 - Read GraphiQL HTML file only once on startup, and only if GraphiQL is enabled, to avoid unnecessary file system access
 
 ### Removed
diff --git a/lib/GraphQLAdapter.js b/lib/GraphQLAdapter.js
@@ -7,25 +7,23 @@ const { createHandler } = require('graphql-http/lib/use/express')
 const { formatError } = require('./resolvers/error')
 
 function GraphQLAdapter(options) {
-  const router = express.Router()
-  const { services } = options
   const defaults = { graphiql: true }
-  const schema = generateSchema4(services)
   options = { ...defaults, ...options }
 
   const errorFormatter = options.errorFormatter
     ? require(path.join(cds.root, options.errorFormatter))
     : require('./errorFormatter') // default error formatter
 
-  router
-    .use(express.json({ ...cds.env.server.body_parser })) //> required by logger below
-    .use(queryLogger)
-
-  if (options.graphiql) router.use(require('../app/graphiql'))
+  const schema = generateSchema4(options.services)
 
-  router.use((req, res) =>
+  const queryHandler = (req, res) =>
     createHandler({ schema, context: { req, res, errorFormatter }, formatError, ...options })(req, res)
-  )
+
+  const router = express.Router()
+
+  router.use(queryLogger)
+  if (options.graphiql) router.use(require('../app/graphiql'))
+  router.use(queryHandler)
 
   return router
 }
diff --git a/lib/logger.js b/lib/logger.js
@@ -1,19 +1,23 @@
+const express = require('express')
+const router = express.Router()
 const cds = require('@sap/cds')
 const { decodeURIComponent } = cds.utils
 const { IS_PRODUCTION } = require('./utils')
 const util = require('util')
 const LOG = cds.log('graphql')
+const { parse, visit, Kind, print } = require('graphql')
 
 const _isEmptyObject = o => Object.keys(o).length === 0
 
-const queryLogger = (req, _, next) => {
+router.use(express.json({ ...cds.env.server.body_parser })) //> required by logger below
+
+router.use(function queryLogger(req, _, next) {
   let query = req.body?.query || (req.query.query && decodeURIComponent(req.query.query))
   // Only log requests that contain a query
   if (!query) {
     next()
     return
   }
-  query = query.trim()
 
   const operationName = req.body?.operationName || req.query?.operationName
 
@@ -38,15 +42,28 @@ const queryLogger = (req, _, next) => {
     ? undefined
     : util.formatWithOptions({ colors: false, depth: null }, queryInfo)
 
-  // If query is multiline string, add newline padding to front
-  let formattedQuery = query.includes('\n') ? `\n${query}` : query
-  // Sanitize all values between parentheses
-  if (IS_PRODUCTION) formattedQuery = formattedQuery.replace(/\([\s\S]*?\)/g, '( *** )')
+  query = query.trim()
+
+  if (IS_PRODUCTION) {
+    try {
+      const ast = parse(query)
+      // Sanitize all arguments unless they are variables
+      visit(ast, {
+        [Kind.ARGUMENT](node) {
+          if (node.value.kind === Kind.VARIABLE) return
+          node.value = { kind: Kind.STRING, value: '***' }
+        }
+      })
+      query = print(ast)
+    } catch {
+      // If parsing or sanitizing the query fails, log the original query
+    }
+  }
 
   // Don't log undefined values
-  LOG.info(...[req.method, formattedQueryInfo, formattedQuery].filter(e => e))
+  LOG.info(...[req.method, formattedQueryInfo, '\n', query].filter(e => e))
 
   next()
-}
+})
 
-module.exports = queryLogger
+module.exports = router
diff --git a/test/tests/error-handling-dev.test.js b/test/tests/error-handling-dev.test.js
@@ -7,13 +7,17 @@ describe('graphql - error handling in development', () => {
   // Prevent axios from throwing errors for non 2xx status codes
   axios.defaults.validateStatus = false
 
+  let _warn = []
+  let _error = []
+
   beforeEach(() => {
-    jest.spyOn(console, 'warn')
-    jest.spyOn(console, 'error')
+    console.warn = (...s) => _warn.push(s) // eslint-disable-line no-console
+    console.error = (...s) => _error.push(s) // eslint-disable-line no-console
   })
 
   afterEach(() => {
-    jest.clearAllMocks()
+    _warn = []
+    _error = []
   })
 
   describe('Errors thrown by CDS', () => {
@@ -33,7 +37,7 @@ describe('graphql - error handling in development', () => {
         {
           message: expect.any(String),
           extensions: {
-            code: expect.stringMatching(/ASSERT_MANDATORY|ASSERT_NOT_NULL/) ,
+            code: expect.stringMatching(/ASSERT_MANDATORY|ASSERT_NOT_NULL/),
             target: 'notEmptyI',
             stacktrace: expect.any(Array)
           }
@@ -63,13 +67,13 @@ describe('graphql - error handling in development', () => {
             code: 'MULTIPLE_ERRORS',
             details: [
               {
-                code: expect.stringMatching(/ASSERT_MANDATORY|ASSERT_NOT_NULL/) ,
+                code: expect.stringMatching(/ASSERT_MANDATORY|ASSERT_NOT_NULL/),
                 message: expect.any(String),
                 target: 'notEmptyI',
                 stacktrace: expect.any(Array)
               },
               {
-                code: expect.stringMatching(/ASSERT_MANDATORY|ASSERT_NOT_NULL/) ,
+                code: expect.stringMatching(/ASSERT_MANDATORY|ASSERT_NOT_NULL/),
                 message: expect.any(String),
                 target: 'notEmptyS',
                 stacktrace: expect.any(Array)
@@ -132,7 +136,7 @@ describe('graphql - error handling in development', () => {
             code: 'MULTIPLE_ERRORS',
             details: [
               { target: 'inRange', message: 'Wert ist erforderlich' },
-              { target: 'oneOfEnumValues', message: expect.any(String) },
+              { target: 'oneOfEnumValues', message: expect.any(String) }
             ]
           }
         }
@@ -143,15 +147,15 @@ describe('graphql - error handling in development', () => {
       expect(response.data.errors[0].extensions.details[0].stacktrace[0]).not.toHaveLength(0) // Stacktrace exists and is not empty
       expect(response.data.errors[0].extensions.details[1].stacktrace[0]).not.toHaveLength(0) // Stacktrace exists and is not empty
 
-      const log = console.warn.mock.calls[0][1]
+      const log = _warn[0][1]
       expect(log).toMatchObject({
         code: 'MULTIPLE_ERRORS',
         details: [
           { target: 'inRange', code: expect.stringMatching(/ASSERT_MANDATORY|ASSERT_NOT_NULL/) },
           { target: 'oneOfEnumValues', code: 'ASSERT_ENUM' }
         ]
       })
-      expect(console.warn.mock.calls[0][1]).not.toHaveProperty('stacktrace') // No stacktrace outside of error details
+      expect(_warn[0][1]).not.toHaveProperty('stacktrace') // No stacktrace outside of error details
     })
   })
 
@@ -335,7 +339,7 @@ describe('graphql - error handling in development', () => {
       expect(response.data.errors[0].extensions).not.toHaveProperty('stacktrace') // No stacktrace outside of error details
       expect(response.data.errors[0].extensions.details[0].stacktrace[0]).not.toHaveLength(0) // Stacktrace exists and is not empty
       expect(response.data.errors[0].extensions.details[1].stacktrace[0]).not.toHaveLength(0) // Stacktrace exists and is not empty
-      expect(console.error.mock.calls[0][1]).toMatchObject({
+      expect(_error[0][1]).toMatchObject({
         code: 'MULTIPLE_ERRORS',
         details: [
           {
@@ -354,7 +358,7 @@ describe('graphql - error handling in development', () => {
           }
         ]
       })
-      expect(console.error.mock.calls[0][1]).not.toHaveProperty('stacktrace') // No stacktrace outside of error details
+      expect(_error[0][1]).not.toHaveProperty('stacktrace') // No stacktrace outside of error details
     })
 
     test('Thrown error is modified in srv.on(error) handler', async () => {
diff --git a/test/tests/error-handling-prod.test.js b/test/tests/error-handling-prod.test.js
@@ -8,15 +8,20 @@ describe('graphql - error handling in production', () => {
   // Prevent axios from throwing errors for non 2xx status codes
   axios.defaults.validateStatus = false
 
+  let _warn = []
+  let _error = []
+
   beforeEach(() => {
-    jest.spyOn(console, 'warn')
-    jest.spyOn(console, 'error')
+    console.warn = (...s) => _warn.push(s) // eslint-disable-line no-console
+    console.error = (...s) => _error.push(s) // eslint-disable-line no-console
   })
 
   afterEach(() => {
-    jest.clearAllMocks()
+    _warn = []
+    _error = []
   })
 
+
   describe('Errors thrown by CDS', () => {
     test('Single @mandatory validation error', async () => {
       const query = gql`
@@ -42,7 +47,7 @@ describe('graphql - error handling in production', () => {
       const response = await POST('/graphql', { query })
       expect(response.data).toMatchObject({ errors })
       expect(response.data.errors[0].extensions).not.toHaveProperty('stacktrace') // No stacktrace in production
-      const log = console.warn.mock.calls[0][1] || JSON.parse(console.warn.mock.calls[0][0])
+      const log = _warn[0][1] || JSON.parse(_warn[0][0])
       expect(log).toMatchObject({ code: expect.stringMatching(/ASSERT_MANDATORY|ASSERT_NOT_NULL/) , target: 'notEmptyI' })
     })
 
@@ -148,7 +153,7 @@ describe('graphql - error handling in production', () => {
       expect(response.data.errors[0].extensions).not.toHaveProperty('stacktrace') // No stacktrace outside of error details
       expect(response.data.errors[0].extensions.details[0]).not.toHaveProperty('stacktrace') // No stacktrace in production
       expect(response.data.errors[0].extensions.details[1]).not.toHaveProperty('stacktrace') // No stacktrace in production
-      const log = console.warn.mock.calls[0][1] || JSON.parse(console.warn.mock.calls[0][0])
+      const log = _warn[0][1] || JSON.parse(_warn[0][0])
 
       expect(log).toMatchObject({
         code: 'MULTIPLE_ERRORS',
@@ -322,7 +327,7 @@ describe('graphql - error handling in production', () => {
       expect(response.data).toMatchObject({ errors })
       expect(response.data.errors[0].extensions).not.toHaveProperty('stacktrace') // No stacktrace outside of error details
       expect(response.data.errors[0].extensions).not.toHaveProperty('details') // No details since one of the errors is 5xx
-      const log = console.error.mock.calls[0][1] || JSON.parse(console.error.mock.calls[0][0])
+      const log = _error[0][1] || JSON.parse(_error[0][0])
       expect(log).toMatchObject({
         code: 'MULTIPLE_ERRORS',
         details: [
diff --git a/test/tests/logger-dev.test.js b/test/tests/logger-dev.test.js
@@ -10,23 +10,22 @@ describe('graphql - query logging in development', () => {
 
   const _format = e => util.formatWithOptions({ colors: false, depth: null }, ...(Array.isArray(e) ? e : [e]))
 
-  let _log
+  let _info = []
 
-  beforeEach(async () => {
-    await data.reset()
-    _log = jest.spyOn(console, 'info')
+  beforeEach(() => {
+    console.info = (...s) => _info.push(s) // eslint-disable-line no-console
   })
 
   afterEach(() => {
-    jest.clearAllMocks()
+    _info = []
   })
 
   describe('POST requests', () => {
     test('Do not log requests with undefined queries', async () => {
       const response = await POST('/graphql')
       expect(response.status).toEqual(400)
       expect(response.data.errors[0]).toEqual({ message: 'Missing query' })
-      expect(_log.mock.calls.length).toEqual(0)
+      expect(_info.length).toEqual(0)
     })
 
     test('Log should contain HTTP method', async () => {
@@ -42,7 +41,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await POST('/graphql', { query })
-      expect(_format(_log.mock.calls[0])).toContain('POST')
+      expect(_format(_info[0])).toContain('POST')
     })
 
     test('Log should not contain operationName if none was provided', async () => {
@@ -58,7 +57,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await POST('/graphql', { query })
-      expect(_format(_log.mock.calls[0])).not.toContain('operationName')
+      expect(_format(_info[0])).not.toContain('operationName')
     })
 
     test('Log should not contain variables if none were provided', async () => {
@@ -74,7 +73,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await POST('/graphql', { query })
-      expect(_format(_log.mock.calls[0])).not.toContain('variables')
+      expect(_format(_info[0])).not.toContain('variables')
     })
 
     test('Log should contain operationName and its value', async () => {
@@ -100,7 +99,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await POST('/graphql', { operationName, query })
-      expect(_format(_log.mock.calls[0])).toContain(`operationName: '${operationName}'`)
+      expect(_format(_info[0])).toContain(`operationName: '${operationName}'`)
     })
 
     test('Log should contain literal values', async () => {
@@ -117,7 +116,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await POST('/graphql', { query })
-      expect(_format(_log.mock.calls[0])).toContain(secretTitle)
+      expect(_format(_info[0])).toContain(secretTitle)
     })
 
     test('Log should contain variables and their values', async () => {
@@ -134,7 +133,7 @@ describe('graphql - query logging in development', () => {
       `
       const variables = { filter: { ID: { ge: 250 } } }
       await POST('/graphql', { query, variables })
-      expect(_format(_log.mock.calls[0])).toContain(`variables: ${_format(variables)}`)
+      expect(_format(_info[0])).toContain(`variables: ${_format(variables)}`)
     })
   })
 
@@ -143,7 +142,7 @@ describe('graphql - query logging in development', () => {
       const response = await GET('/graphql')
       expect(response.status).toEqual(200)
       expect(response.data).toMatch(/html/i) // GraphiQL is returned
-      expect(_log.mock.calls.length).toEqual(0)
+      expect(_info.length).toEqual(0)
     })
 
     test('Log should contain HTTP method', async () => {
@@ -159,7 +158,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await GET(`/graphql?query=${query}`)
-      expect(_format(_log.mock.calls[0])).toContain('GET')
+      expect(_format(_info[0])).toContain('GET')
     })
 
     test('Log should not contain operationName if none was provided', async () => {
@@ -175,7 +174,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await GET(`/graphql?query=${query}`)
-      expect(_format(_log.mock.calls[0])).not.toContain('operationName')
+      expect(_format(_info[0])).not.toContain('operationName')
     })
 
     test('Log should not contain variables if none were provided', async () => {
@@ -191,7 +190,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await GET(`/graphql?query=${query}`)
-      expect(_format(_log.mock.calls[0])).not.toContain('variables')
+      expect(_format(_info[0])).not.toContain('variables')
     })
 
     test('Log should contain operationName and its value', async () => {
@@ -217,7 +216,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await GET(`/graphql?operationName=${operationName}&query=${query}`)
-      expect(_format(_log.mock.calls[0])).toContain(`operationName: '${operationName}'`)
+      expect(_format(_info[0])).toContain(`operationName: '${operationName}'`)
     })
 
     test('Log should contain literal values', async () => {
@@ -234,7 +233,7 @@ describe('graphql - query logging in development', () => {
         }
       `
       await GET(`/graphql?query=${query}`)
-      expect(_format(_log.mock.calls[0])).toContain(secretTitle)
+      expect(_format(_info[0])).toContain(secretTitle)
     })
 
     test('Log should contain variables and their values', async () => {
@@ -251,7 +250,7 @@ describe('graphql - query logging in development', () => {
       `
       const variables = { filter: { ID: { ge: 250 } } }
       await GET(`/graphql?query=${query}&variables=${JSON.stringify(variables)}`)
-      expect(_format(_log.mock.calls[0])).toContain(`variables: ${_format(variables)}`)
+      expect(_format(_info[0])).toContain(`variables: ${_format(variables)}`)
     })
   })
 })
diff --git a/test/tests/logger-prod.test.js b/test/tests/logger-prod.test.js
