Traceability loss - Server's clock - TypeScript

Traceability loss - Server's clock - TypeScript

Need

Synchronization of server's internal clock with NTP servers

Context

  • Usage of TypeScript for type-checking and static typing in Node.js development
  • Usage of Express for building web applications and handling HTTP requests

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/logs', (req, res) => {
  const currentDate = new Date();
  const logEntry = `Log entry created on ${currentDate}`;

  // ... write log entry to file or database ...

  res.send('Log entry created successfully');
});

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The vulnerability in this code is related to traceability loss due to the server's clock not being synced with NTP servers.

In the code, when a GET request is made to the '/logs' endpoint, a new Date object is created to get the current date and time. However, since the server's clock is not synced with NTP servers, there is a possibility that the date obtained from the Date object may be incorrect.

This can lead to traceability loss as the log entries created using the incorrect date will not accurately reflect when the events actually occurred. This can make it difficult to track and analyze the logs for debugging or auditing purposes.

To mitigate this vulnerability, it is recommended to sync the server's clock with an NTP server. This will ensure that the Date object accurately represents the current date and time, providing reliable traceability in the log entries.

Steps

  • Install the 'ntp' package to sync the server's clock with NTP servers
  • Import the 'ntp' package in the vulnerable code file
  • Use the 'ntp' package to sync the server's clock with NTP servers before creating the log entry
  • Update the log entry creation code to use the synchronized server's date

Compliant code

        import express from 'express';
import ntp from 'ntp';

const app = express();

app.get('/logs', (req, res) => {
  ntp.time({ servers: ['pool.ntp.org'] }, (err, time) => {
    if (err) {
      console.error('Error syncing server time:', err);
      return;
    }

    const currentDate = new Date(time.t);
    const logEntry = `Log entry created on ${currentDate}`;

    // ... write log entry to file or database ...

    res.send('Log entry created successfully');
  });
});

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The fixed code addresses the vulnerability by synchronizing the server's internal clock with an NTP server before writing log entries. Here's an explanation of the changes made:

1. The ntp package is imported to handle the NTP time synchronization.

2. The /logs route is defined using the app.get method from the express package.

3. Inside the route handler, the ntp.time function is called to sync the server time with an NTP server. It takes an object with the servers property set to an array containing the NTP server(s) to use.

4. The callback function for ntp.time receives two parameters: err and time. If an error occurs during the time synchronization, an error message is logged to the console.

5. If the time synchronization is successful, the time object contains the synchronized time in the t property. This value is used to create a new Date object, currentDate, representing the current server time.

6. The logEntry variable is then created, containing a string that includes the current date.

7. The log entry can be written to a file or database, depending on the implementation.

8. Finally, a response is sent back to the client with the message "Log entry created successfully".

9. The server is started on port 3000 using the app.listen method, and a message is logged to the console indicating that the server has started.

By synchronizing the server's clock with an NTP server before writing log entries, the fixed code ensures that the log entries will have the correct date and time, addressing the traceability loss vulnerability.

References