Technical information leak - SourceMap - TypeScript

Technical information leak - SourceMap - TypeScript

Need

Protection of sensitive technical information

Context

  • Usage of TypeScript for type-checking and static typing in JavaScript development
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.use(express.static('public', {
  setHeaders: (res, path) => {
    if (path.endsWith('.js.map')) {
      res.setHeader('Content-Type', 'application/json');
    }
  },
}));

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is a technical information leak through the exposure of SourceMap files. SourceMap files (.map) are used to map the minified or transpiled code back to its original source code for debugging purposes. In this code, the vulnerability arises from the fact that the server is serving the SourceMap files to any request made to the 'public' directory.

The vulnerable code snippet shows an Express server being created and configured to serve static files from the 'public' directory using the express.static middleware. The vulnerability lies in the setHeaders function provided as an option to the express.static middleware.

In the setHeaders function, it checks if the requested file ends with '.js.map' and sets the 'Content-Type' header to 'application/json'. This means that when a request is made for any file with a '.js.map' extension, the server responds with the SourceMap file and sets the content type as JSON.

This vulnerability allows an attacker to easily access and analyze the SourceMap files, which can provide valuable information about the inner workings of the application. By understanding the original source code structure and logic, an attacker can potentially identify vulnerabilities or generate new attack vectors to exploit the application.

To mitigate this vulnerability, access to SourceMap files should be limited to authorized users and roles.

Steps

  • Identify the location of the .map files in your project.
  • Create a directory or folder in your project to store the .map files.
  • Move the .map files to the newly created directory.
  • Update the 'express.static' middleware to serve the .map files from the new directory.
  • Modify the 'setHeaders' function to only set the 'Content-Type' header for authorized users and roles.
  • Implement a mechanism to restrict access to the .map files based on user authentication and authorization.
  • Test the updated code to ensure that the .map files are no longer accessible to unauthorized users.

Compliant code

        import express from 'express';

const app = express();

app.use('/maps', express.static('maps', {
  setHeaders: (res, path) => {
    if (path.endsWith('.js.map')) {
      // Implement authentication and authorization logic here
      // to restrict access to the .map files
      if (isAuthorizedUser()) {
        res.setHeader('Content-Type', 'application/json');
      } else {
        res.status(403).send('Forbidden');
      }
    }
  },
}));

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by implementing authentication and authorization logic to restrict access to the .map files.

The code uses the Express framework to create a server. It sets up a route for serving the map files using the express.static middleware. The express.static function is passed the 'maps' directory as the root directory for serving the files.

To restrict access to the .map files, the code defines a setHeaders function as an option for the express.static middleware. This function is called for each file that is requested.

Inside the setHeaders function, it checks if the requested file ends with '.js.map' using the endsWith method. If it does, it proceeds to check if the user is authorized by calling the isAuthorizedUser function.

If the user is authorized, it sets the 'Content-Type' header to 'application/json', indicating that the file is a JSON file. This ensures that only authorized users can access the .map files.

If the user is not authorized, it sends a 403 Forbidden response to the client, indicating that access is denied.

Finally, the server listens on port 3000 for incoming requests.

By implementing this code, access to the .map files is restricted only to authorized users, mitigating the risk of a malicious actor analyzing the application and generating new attack vectors.

References