Merge pull request github#12065 from knewbury01/knewbury01/fix-js-cleartext-logging-doc

Update JS CleartextLogging qhelp

Author: erik-krogh

javascript/ql/src/Security/CWE-312/CleartextLogging.qhelp

@@ -2,4 +2,33 @@
   "-//Semmle//qhelp//EN"
   "qhelp.dtd">
 <qhelp>
-<include src="CleartextStorage.qhelp" /></qhelp>
+
+<overview>
+
+<p>If sensitive data is written to a log entry it could be exposed to an attacker
+who gains access to the logs.</p>
+
+<p>Potential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may
+expose system information such as full path names, system information, and sometimes usernames and passwords.</p>
+</overview>
+
+<recommendation>
+<p>
+Sensitive data should not be logged.
+</p>
+</recommendation>
+
+<example>
+<p>In the example the entire process environment is logged using `console.info`. Regular users of the production deployed application
+should not have access to this much information about the environment configuration.
+</p>
+<sample src="examples/CleartextLogging.js" />
+
+<p> In the second example the data that is logged is not sensitive.</p>
+<sample src="examples/CleartextLoggingGood.js" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/">Insertion of Sensitive Information into Log File</a>.</li>
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-312/examples/CleartextLogging.js

@@ -0,0 +1,2 @@
+// BAD: Logging cleartext sensitive data
+console.info(`[INFO] Environment: ${process.env}`);

javascript/ql/src/Security/CWE-312/examples/CleartextLoggingGood.js

@@ -0,0 +1,3 @@
+let not_sensitive_data = { a: 1, b : 2} 
+// GOOD: it is fine to log data that is not sensitive
+console.info(`[INFO] Some object contains: ${not_sensitive_data}`);