Protection of sensitive technical information
import express from 'express';
const app = express();
app.use(express.static('public', {
setHeaders: (res, path) => {
if (path.endsWith('.js.map')) {
res.setHeader('Content-Type', 'application/json');
}
},
}));
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is a technical information leak through the exposure of SourceMap files. SourceMap files (.map) are used to map the minified or transpiled code back to its original source code for debugging purposes. In this code, the vulnerability arises from the fact that the server is serving the SourceMap files to any request made to the 'public' directory.
The vulnerable code snippet shows an Express server being created and configured to serve static files from the 'public' directory using the
express.static middleware. The vulnerability lies in the
setHeaders function provided as an option to the
express.static middleware.
In the
setHeaders function, it checks if the requested file ends with '.js.map' and sets the 'Content-Type' header to 'application/json'. This means that when a request is made for any file with a '.js.map' extension, the server responds with the SourceMap file and sets the content type as JSON.
This vulnerability allows an attacker to easily access and analyze the SourceMap files, which can provide valuable information about the inner workings of the application. By understanding the original source code structure and logic, an attacker can potentially identify vulnerabilities or generate new attack vectors to exploit the application.
To mitigate this vulnerability, access to SourceMap files should be limited to authorized users and roles.
import express from 'express';
const app = express();
app.use('/maps', express.static('maps', {
setHeaders: (res, path) => {
if (path.endsWith('.js.map')) {
// Implement authentication and authorization logic here
// to restrict access to the .map files
if (isAuthorizedUser()) {
res.setHeader('Content-Type', 'application/json');
} else {
res.status(403).send('Forbidden');
}
}
},
}));
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code addresses the vulnerability by implementing authentication and authorization logic to restrict access to the .map files.
The code uses the Express framework to create a server. It sets up a route for serving the map files using the
express.static middleware. The
express.static function is passed the 'maps' directory as the root directory for serving the files.
To restrict access to the .map files, the code defines a
setHeaders function as an option for the
express.static middleware. This function is called for each file that is requested.
Inside the
setHeaders function, it checks if the requested file ends with '.js.map' using the
endsWith method. If it does, it proceeds to check if the user is authorized by calling the
isAuthorizedUser function.
If the user is authorized, it sets the 'Content-Type' header to 'application/json', indicating that the file is a JSON file. This ensures that only authorized users can access the .map files.
If the user is not authorized, it sends a 403 Forbidden response to the client, indicating that access is denied.
Finally, the server listens on port 3000 for incoming requests.
By implementing this code, access to the .map files is restricted only to authorized users, mitigating the risk of a malicious actor analyzing the application and generating new attack vectors.