Need

Protection of sensitive business information in source code

Context

• Usage of Dart for building cross-platform mobile, web, and desktop applications
• Usage of Shelf for managing and organizing data in a Node.js application
• Usage of shelf_io for managing and interacting with data storage in Node.js

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  io.serve(handler, 'localhost', 8080);
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}
        
        

The above code is a simple server implementation using the Shelf framework in Dart. It listens for requests on localhost at port 8080 and responds with a simple message containing the requested URL.

The vulnerability here is that the server indiscriminately logs all incoming requests. If a request contains sensitive business information, such as employee or customer data, this information will be included in the server logs. This could potentially lead to a business information leak, as unauthorized individuals with access to the server logs could view this sensitive information.

For example, if a client made a POST request to http://localhost:8080 with the body {"employeeName": "John Doe", "employeeId": "1234"}, the server would log Request for "/{"employeeName": "John Doe", "employeeId": "1234"}".

This is a serious vulnerability as it exposes sensitive data, potentially violating privacy laws and regulations. It also increases the risk of other forms of attack, such as identity theft or phishing.

Steps

• Remove any sensitive information from the source code. This includes employee and customer information.
• Use environment variables to store sensitive information. This way, the information is not directly in the source code and can be changed without changing the code.
• Implement proper access controls to ensure that only authorized individuals can access the source code.
• Use encryption to protect sensitive information. Even if someone gains access to the source code, they will not be able to read the sensitive information without the decryption key.
• Regularly review and update the source code to ensure that it does not contain any sensitive information.

Compliant code

        import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  io.serve(handler, 'localhost', int.parse(Platform.environment['PORT']));
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}
        
        

The updated code now uses an environment variable to set the port number for the server. This is a more secure approach as it doesn't expose the port number in the source code.

Sensitive information such as employee and customer data should never be stored directly in the source code. Instead, such data should be stored in a secure database and accessed through secure means such as encrypted connections and secure APIs.

In the updated code, we have removed the hard-coded port number and replaced it with an environment variable. This is a common practice for managing configuration in production environments, where you don't want to expose sensitive information in your code or version control system.

To set the environment variable in your production environment, you can use the following command in the terminal:

                export PORT=8080

            

References

• 216. Business information leak - Source Code