From 6055d4ffbc3662c1e040bdc47f2d7b0d859c71ff Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 12 Sep 2025 09:01:39 +0200 Subject: [PATCH 1/3] Security warning potential injection in messages --- java/event-handlers/indicating-errors.md | 4 ++++ node.js/events.md | 3 +++ 2 files changed, 7 insertions(+) diff --git a/java/event-handlers/indicating-errors.md b/java/event-handlers/indicating-errors.md index 73e076753..e5f4e9adf 100644 --- a/java/event-handlers/indicating-errors.md +++ b/java/event-handlers/indicating-errors.md @@ -70,6 +70,10 @@ Writing the messages into explicitly modeled messages properties isn't yet suppo SAP Fiori uses these messages to display detailed information on the UI. The style how a message appears on the UI depends on the severity of the message. +::: warning Avoid Injection Vulnerabilities +Ensure proper validation of the message text and URL if they contain values ​​from user input. +::: + ### Throwing a ServiceException from Error Messages { #throwing-a-serviceexception-from-messages} It is also possible to throw a [ServiceException](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/ServiceException.html) from error messages. This can, for example, be useful to cancel a request after collecting multiple validation errors. The individual validation checks will collect error messages in the `Messages` API. After the validation checks have been run, you call the `throwIfError()` method. Only if error messages have been collected, this method cancels the request with a [ServiceException](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/ServiceException.html): diff --git a/node.js/events.md b/node.js/events.md index 8bfdf52db..cf03acfb8 100644 --- a/node.js/events.md +++ b/node.js/events.md @@ -548,6 +548,9 @@ req.warn ('Some warning message') The methods are similar to [`req.error()`](#req-error), also accepting the [same arguments](#req-reject), but the messages are collected in `req.messages` instead of `req.errors`, not decorated with stack traces, and returned in a HTTP response header (e.g. `sap-messages`), instead of the response body. +::: warning Avoid Injection Vulnerabilities +Ensure proper validation of the message text if it contains values ​​from user input. +::: ## Error Responses From 643c146b54b4d2864418575e10d9b6015c24da9b Mon Sep 17 00:00:00 2001 From: Mahati Shankar <93712176+smahati@users.noreply.github.com> Date: Fri, 19 Sep 2025 16:03:53 +0200 Subject: [PATCH 2/3] Update java/event-handlers/indicating-errors.md --- java/event-handlers/indicating-errors.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/event-handlers/indicating-errors.md b/java/event-handlers/indicating-errors.md index e5f4e9adf..c7abfdfe8 100644 --- a/java/event-handlers/indicating-errors.md +++ b/java/event-handlers/indicating-errors.md @@ -70,7 +70,7 @@ Writing the messages into explicitly modeled messages properties isn't yet suppo SAP Fiori uses these messages to display detailed information on the UI. The style how a message appears on the UI depends on the severity of the message. -::: warning Avoid Injection Vulnerabilities +::: warning User Input & Injection Vulnerabilities Ensure proper validation of the message text and URL if they contain values ​​from user input. ::: From 341ff3b8cb9f8a852542b2f45edf5b3030937254 Mon Sep 17 00:00:00 2001 From: Mahati Shankar <93712176+smahati@users.noreply.github.com> Date: Fri, 19 Sep 2025 16:04:00 +0200 Subject: [PATCH 3/3] Update node.js/events.md --- node.js/events.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node.js/events.md b/node.js/events.md index cf03acfb8..120767105 100644 --- a/node.js/events.md +++ b/node.js/events.md @@ -548,7 +548,7 @@ req.warn ('Some warning message') The methods are similar to [`req.error()`](#req-error), also accepting the [same arguments](#req-reject), but the messages are collected in `req.messages` instead of `req.errors`, not decorated with stack traces, and returned in a HTTP response header (e.g. `sap-messages`), instead of the response body. -::: warning Avoid Injection Vulnerabilities +::: warning User Input & Injection Vulnerabilities Ensure proper validation of the message text if it contains values ​​from user input. :::