From f22d07623b489f509808bf883532426e761a992c Mon Sep 17 00:00:00 2001
From: Kiro Agent <244629292+kiro-agent@users.noreply.github.com>
Date: Wed, 10 Jun 2026 07:21:37 +0000
Subject: [PATCH] JavaScript: Exclude debug npm package from js/log-injection
 sinks

---
 .../javascript/security/dataflow/LogInjectionQuery.qll |  7 ++++++-
 .../query-tests/Security/CWE-117/logInjectionGood.js   | 10 ++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
index 6e4dbbf396ed..750323fa38c8 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
@@ -61,7 +61,12 @@ class RemoteSource extends Source instanceof RemoteFlowSource {
  * An argument to a logging mechanism.
  */
 class LoggingSink extends Sink {
-  LoggingSink() { this = any(LoggerCall console).getAMessageComponent() }
+  LoggingSink() {
+    exists(LoggerCall logger |
+      this = logger.getAMessageComponent() and
+      not logger = API::moduleImport("debug").getReturn().getACall()
+    )
+  }
 }
 
 /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
index a0fc508808e5..f14ef70a34f7 100644
--- a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
+++ b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
@@ -27,3 +27,13 @@ const server = http.createServer((req, res) => {
         console.error(`[ERROR] Error: "${error}"`);
     }
 });
+
+const debug = require('debug')('app');
+
+const server_debug = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+    let username = q.query.username;
+
+    // OK - debug package is not a production logger
+    debug('User: %s', username);
+});