Technical information leak - Print Functions - TypeScript

Technical information leak - Print Functions - TypeScript

Need

Prevention of sensitive information leakage through print functions

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/users/:id', (req, res) => {
  const userId = req.params.id;
  const user = getUserById(userId);

  console.log(`User details: ${JSON.stringify(user)}`); // Vulnerable print function

  res.json(user);
});

function getUserById(id: string) {
  // Database query to fetch user details
  return {
    id,
    name: 'John Doe',
    email: 'johndoe@example.com',
    password: 'password123' // Sensitive information
  };
}

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The vulnerability in this code lies in the usage of the console.log function to print sensitive information.

In the app.get('/users/:id') route handler, the code retrieves a user's details based on the provided id parameter. After fetching the user details, it uses the console.log function to print the user object, including sensitive information such as the password.

The problem with this approach is that the console.log function outputs the information to the standard output (stdout), which can be easily accessed by unauthorized users. This means that sensitive information, like the password in this case, can be exposed to potential attackers.

By printing sensitive information to the console, the code inadvertently exposes technical details of the application to unauthorized users. This increases the attack surface and provides potential attackers with valuable information that can be used to exploit the system.

To mitigate this vulnerability, it is recommended to remove or comment out the console.log statement that prints sensitive information. In a production environment, it is crucial to avoid printing any sensitive data to the console or any other output that can be accessed by unauthorized users.

Steps

  • Remove the vulnerable print function `console.log` that exposes sensitive information.
  • Instead of printing the user details, sanitize the data and only send necessary information in the response.
  • Update the `getUserById` function to retrieve user details from the database without exposing sensitive information.
  • Ensure that the application does not provide technical or sensitive information to unauthorized users.

Compliant code

        import express from 'express';

const app = express();

app.get('/users/:id', (req, res) => {
  const userId = req.params.id;
  const user = getUserById(userId);

  const sanitizedUser = {
    id: user.id,
    name: user.name
  };

  res.json(sanitizedUser);
});

function getUserById(id: string) {
  // Database query to fetch user details
  return {
    id,
    name: 'John Doe'
  };
}

app.listen(3000, () => {
  console.log('Server started on port 3000');
});
        
        

The fixed code addresses the vulnerability by ensuring that no sensitive or technical information is leaked through print functions.

In the code, an Express server is created using the express package. It defines a route for retrieving user information based on the provided user ID.

When a GET request is made to the /users/:id endpoint, the code retrieves the user ID from the request parameters and calls the getUserById function to fetch the user details from the database.

To prevent leaking sensitive information, the code creates a sanitizedUser object that only includes the necessary information, such as the user's ID and name. This ensures that any sensitive or technical details are not exposed in the response.

Finally, the sanitized user object is sent as a JSON response using the res.json method.

The getUserById function is responsible for fetching the user details from the database. In this example, it simply returns a hardcoded user object with an ID and name.

The server is then started on port 3000, and a message is logged to the console indicating that the server has started successfully.

Overall, the fixed code ensures that only necessary and safe information is exposed in the response, preventing any potential leakage of sensitive or technical details.

References