We use Cloud SDK in our project to make connection S4Hana service from SCP. As a result we use destination service where we configure the destination where we want to connect to.
During this we observed that the Destination service credentials were logged when the log level was set to DEBUG. It contains all the information about the client id ,client secret, tokenServicePassword etc fields without even encrypted format.
Is there any reason for logging the password or is it a miss.
The class ScpCfDestinationLoader has a private method queryDestinationService that indeed does log the response payload of an internal request to the Cloud Foundry Destination Service, with log level DEBUG. It's clear that for debugging customer/consumer issues, such responses give very important hints on unexpected situations and potential user misconfigurations. It needs to be logged somewhere, otherwise time-intensive remote-debugging sessions would be necessary to investigate every error.
With the default configuration of your Cloud Foundry account, no debug messages are logged. If you (as administrator) decided to enable DEBUG messages, then you should be aware that potentially sensitive information will be stored in the log files. Who can access the log files, can be controlled by the account administrator.
We already took some precautious steps to hide sensitive information from being extracted when dealing with Destination instances. The overly "talkative" log messages, that you are referring to, will definitely be subject to further adjustments as well. Thanks for pointing it out. In the future we will stop credentials (password / client secret) from being written to debug log here.
However, we consider debug log messages as not-production relevant.
Please note: The same situation does not only apply to Cloud SDK but also the underlying Apache HTTP framework, e.g. the classes of its Wire package. Here every byte of internal HTTP traffic is logged in detail. If a potential attacker has full access to logs of a Java application, he pretty much sees every network activity.