Protection of sensitive technical information from unauthorized access
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class SourceMapServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String filename = request.getParameter("file");
ServletContext context = getServletContext();
InputStream is = context.getResourceAsStream("/WEB-INF/classes/" + filename);
if (is != null) {
OutputStream os = response.getOutputStream();
byte[] buffer = new byte[1024];
int bytesRead;
while ((bytesRead = is.read(buffer)) != -1) {
os.write(buffer, 0, bytesRead);
}
os.flush();
os.close();
}
}
}
The above code represents a Servlet that serves files from the
WEB-INF/classes directory based on the
file parameter in the HTTP GET request. This directory typically contains the compiled Java classes and resources of the application, including the
.map files that are generated for JavaScript files.
The vulnerability lies in the fact that it allows any user to request any file in the
WEB-INF/classes directory, including the
.map files. These files can provide a lot of information about the JavaScript code, such as the original source code before minification and the structure of the code. This information can be used by a malicious actor to analyze the application for further vulnerabilities or to understand the application's logic for malicious purposes.
Specifically, the vulnerability is in this line:
InputStream is = context.getResourceAsStream("/WEB-INF/classes/" + filename);
filename is directly used to get a resource from the
WEB-INF/classes directory. There is no validation or restriction on what files can be accessed. Therefore, if a
.map file name is provided, it will be served to the user.
GET /SourceMapServlet?file=myapp.js.map
myapp.js.map file, exposing the source map of the
myapp.js file.
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class SourceMapServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String filename = request.getParameter("file");
if(filename.endsWith(".map")) {
response.sendError(HttpServletResponse.SC_NOT_FOUND);
return;
}
ServletContext context = getServletContext();
InputStream is = context.getResourceAsStream("/WEB-INF/classes/" + filename);
if (is != null) {
OutputStream os = response.getOutputStream();
byte[] buffer = new byte[1024];
int bytesRead;
while ((bytesRead = is.read(buffer)) != -1) {
os.write(buffer, 0, bytesRead);
}
os.flush();
os.close();
}
}
}
The updated code includes a check to see if the requested file is a source map file (i.e., ends with ".map"). If it is, the server responds with a 404 Not Found error, effectively preventing the exposure of source map files.
This is a simple and effective way to prevent the exposure of source map files, but it should be complemented with other security measures. For instance, source map files should be stored in a secure location that is not accessible to the public, and access controls should be implemented to restrict access to these files.
Furthermore, consider obfuscating or minifying the code to make it harder for attackers to analyze. Regularly review and update the access controls and security measures for source map files. Also, consider using a build process that automatically removes or excludes source map files from the production deployment.
Remember, security is not a one-time task but a continuous process. Always keep your security measures up-to-date and adapt them to the evolving threat landscape.