Secure transmission of customer information
import express from 'express';
import fs from 'fs';
import ftp from 'ftp';
const app = express();
const client = new ftp();
app.get('/download', (req, res) => {
const file = req.query.file;
client.connect({
host: 'ftp.example.com',
user: 'username',
password: 'password'
});
client.get(file, (err, stream) => {
if (err) {
res.status(500).send('Error occurred while downloading the file');
} else {
stream.pipe(res);
}
});
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is the use of an insecure channel, specifically FTP, to transmit customer information. The code uses the 'ftp' module to connect to an FTP server and download a file based on the user's request.
However, FTP does not provide encryption, which means that the credentials and confidential information being transmitted can be captured by an attacker in plain text. This leaves the user's credentials vulnerable to interception and potential misuse.
To fix this vulnerability, the application should be deployed over an encrypted communication channel, such as SFTP (SSH File Transfer Protocol) or HTTPS. These protocols provide secure encryption for data transmission, ensuring that sensitive information remains confidential and protected from unauthorized access.
import express from 'express';
import fs from 'fs';
import { Client } from 'ssh2-sftp-client';
const app = express();
const client = new Client();
app.get('/download', async (req, res) => {
const file = req.query.file;
try {
await client.connect({
host: 'ftp.example.com',
port: 22, // SFTP port
username: 'username',
password: 'password'
});
const stream = await client.get(file);
stream.pipe(res);
} catch (err) {
res.status(500).send('Error occurred while downloading the file');
} finally {
client.end();
}
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code addresses the vulnerability by using a secure communication channel (SFTP) instead of the insecure FTP channel. Here's an explanation of the changes made:
1. The code imports the necessary modules:
express for creating the server,
fs for file system operations, and
ssh2-sftp-client for establishing an SFTP connection.
2. An instance of the
express application is created.
3. An instance of the
ssh2-sftp-client is created to establish an SFTP connection.
4. The code defines a route handler for the
/download endpoint using
app.get(). This endpoint expects a query parameter
file to specify the file to be downloaded.
5. Inside the route handler, the code connects to the SFTP server using
client.connect(). It provides the host, port (22 for SFTP), username, and password for authentication.
6. After a successful connection, the code retrieves the requested file using
client.get(). The file is streamed directly to the response object
res using
stream.pipe(res).
7. In case of any errors during the connection or file retrieval, the code sends a 500 status response with an error message.
8. Finally, the SFTP connection is closed using
client.end() in the
finally block to ensure proper cleanup.
9. The server starts listening on port 3000 using
app.listen().
By using SFTP instead of FTP, the code ensures that customer information and credentials are transmitted securely over an encrypted channel, mitigating the risk of interception and unauthorized access.