You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
it is possible to circumvent audit-logging of sensitive data, if the data is read via a calculated element.
I have created a sample which illustrates the problem. In the incidents-app, the credit card number of the customer is exposed in Incidentsvia calculated element.. In the sample, audit-logging has been added as well as the data-privacy annotations.
Steps to reproduce
git clone https://github.com/cap-js/incidents-app.git && cd incidents-app
git checkout patrice/calc
npm i
cds watch
Read sensitive data directly and observe audit-logging
it is documented in Annotating Personal Data. you cannot guess the entity-level annotation (e.g., personal data or personal data details?). hence, you need to add the annotations explicitly. repeating propagated annotations is not necessary, but i'd always annotate everything in the same location.
it is possible to circumvent
audit-logging
of sensitive data, if the data is read via a calculated element.I have created a sample which illustrates the problem. In the incidents-app, the credit card number of the customer is exposed in
Incidents
via calculated element.. In the sample,audit-logging
has been added as well as the data-privacy annotations.Steps to reproduce
git clone https://github.com/cap-js/incidents-app.git && cd incidents-app
git checkout patrice/calc
npm i
cds watch
→ Logs for direct read
[odata] - GET /odata/v4/processor/Customers
:→ No logs for indirect read
[odata] - GET /odata/v4/processor/Incidents
, which exposes the credit card number of the customer:The text was updated successfully, but these errors were encountered: