Technical information leak - SourceMap - Java

Technical information leak - SourceMap - Java

Need

Protection of sensitive technical information from unauthorized access

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet for building Java web applications with servlets
  • Usage of java.io for input and output operations in Java programming

Description

Non compliant code

        import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class SourceMapServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        String filename = request.getParameter("file");
        ServletContext context = getServletContext();
        InputStream is = context.getResourceAsStream("/WEB-INF/classes/" + filename);
        if (is != null) {
            OutputStream os = response.getOutputStream();
            byte[] buffer = new byte[1024];
            int bytesRead;
            while ((bytesRead = is.read(buffer)) != -1) {
                os.write(buffer, 0, bytesRead);
            }
            os.flush();
            os.close();
        }
    }
}
        
        

The above code represents a Servlet that serves files from the WEB-INF/classes directory based on the file parameter in the HTTP GET request. This directory typically contains the compiled Java classes and resources of the application, including the .map files that are generated for JavaScript files.

The vulnerability lies in the fact that it allows any user to request any file in the WEB-INF/classes directory, including the .map files. These files can provide a lot of information about the JavaScript code, such as the original source code before minification and the structure of the code. This information can be used by a malicious actor to analyze the application for further vulnerabilities or to understand the application's logic for malicious purposes.

Specifically, the vulnerability is in this line:

                InputStream is = context.getResourceAsStream("/WEB-INF/classes/" + filename);

            


Here, the filename is directly used to get a resource from the WEB-INF/classes directory. There is no validation or restriction on what files can be accessed. Therefore, if a .map file name is provided, it will be served to the user.

For example, a malicious actor could send a GET request like this:

GET /SourceMapServlet?file=myapp.js.map

And the server would return the myapp.js.map file, exposing the source map of the myapp.js file.

Steps

  • Avoid exposing source map files in a production environment.
  • Store source map files in a secure location that is not accessible to the public.
  • Implement access controls to restrict access to source map files.
  • Consider obfuscating or minifying the code to make it harder for attackers to analyze.
  • Regularly review and update the access controls and security measures for source map files.
  • Consider using a build process that automatically removes or excludes source map files from the production deployment.

Compliant code

        import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class SourceMapServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        String filename = request.getParameter("file");
        if(filename.endsWith(".map")) {
            response.sendError(HttpServletResponse.SC_NOT_FOUND);
            return;
        }
        ServletContext context = getServletContext();
        InputStream is = context.getResourceAsStream("/WEB-INF/classes/" + filename);
        if (is != null) {
            OutputStream os = response.getOutputStream();
            byte[] buffer = new byte[1024];
            int bytesRead;
            while ((bytesRead = is.read(buffer)) != -1) {
                os.write(buffer, 0, bytesRead);
            }
            os.flush();
            os.close();
        }
    }
}
        
        

The updated code includes a check to see if the requested file is a source map file (i.e., ends with ".map"). If it is, the server responds with a 404 Not Found error, effectively preventing the exposure of source map files.

This is a simple and effective way to prevent the exposure of source map files, but it should be complemented with other security measures. For instance, source map files should be stored in a secure location that is not accessible to the public, and access controls should be implemented to restrict access to these files.

Furthermore, consider obfuscating or minifying the code to make it harder for attackers to analyze. Regularly review and update the access controls and security measures for source map files. Also, consider using a build process that automatically removes or excludes source map files from the production deployment.

Remember, security is not a one-time task but a continuous process. Always keep your security measures up-to-date and adapt them to the evolving threat landscape.

References