Debugging enabled in production - Dart

Debugging enabled in production - Dart

Need

Disabling debugging mode in production environment

Context

  • Usage of Dart for building cross-platform mobile, web, and desktop applications
  • Usage of Shelf for managing and organizing data in a Node.js application
  • Usage of shelf_io for managing and interacting with data storage in a Node.js application

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline()
      .addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  io.serve(handler, 'localhost', 8080);
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}
        
        

In the above code, the shelf.logRequests() middleware is added to the application pipeline. This middleware logs all HTTP requests and responses to the console, which can include sensitive information such as session tokens, passwords, and other private data. This is fine for development and debugging purposes, but it's a security vulnerability when used in a production environment. The information logged can be seen by anyone who has access to the production server's console output or log files.

Steps

  • Identify the configuration or setting that enables debug mode in your application.
  • Disable the debug mode in the production environment. This can usually be done by setting a specific variable or flag in your configuration file or environment variables.
  • Ensure that error messages in the production environment do not leak sensitive information. Instead of detailed error messages, use generic error messages.
  • Test the application to ensure that debug information is no longer available in the production environment.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline()
      .addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  // Check if the application is in production mode
  if (String.fromEnvironment('ENV') == 'production') {
    // Disable debug mode in production
    handler = handler.change(debugMode: false);
  }

  io.serve(handler, 'localhost', 8080);
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}
        
        

The original code had a vulnerability where the debug mode was enabled in the production environment. This could lead to an information leak when an error is generated, as detailed debug information could be exposed.

The fixed code checks if the application is running in the production environment by checking the 'ENV' environment variable. If the application is in production, the debug mode is disabled.

This prevents the exposure of detailed debug information in the production environment, mitigating the information leak vulnerability. The application will now only log requests and handle them without exposing any sensitive debug information.

Remember to set the 'ENV' environment variable to 'production' when deploying your application to the production environment.

References