logo

Database

Technical information leak - SourceMap

Need

Protection of sensitive technical information from unauthorized access

Context

• Usage of Java for building cross-platform applications

• Usage of javax.servlet for building Java web applications with servlets

• Usage of java.io for input and output operations in Java programming

Description

1. Non compliant code

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class SourceMapServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        ServletContext context = getServletContext();...

The above code represents a Servlet that serves files from the `WEB-INF/classes` directory based on the `file` parameter in the HTTP GET request. This directory typically contains the compiled Java classes and resources of the application, including the `.map` files that are generated for JavaScript files. The vulnerability lies in the fact that it allows any user to request any file in the `WEB-INF/classes` directory, including the `.map` files. These files can provide a lot of information about the JavaScript code, such as the original source code before minification and the structure of the code. This information can be used by a malicious actor to analyze the application for further vulnerabilities or to understand the application's logic for malicious purposes. Specifically, the vulnerability is in this line: ```java InputStream is = context.getResourceAsStream("/WEB-INF/classes/" + filename); ``` Here, the `filename` is directly used to get a resource from the `WEB-INF/classes` directory. There is no validation or restriction on what files can be accessed. Therefore, if a `.map` file name is provided, it will be served to the user. For example, a malicious actor could send a GET request like this: ``` GET /SourceMapServlet?file=myapp.js.map ``` And the server would return the `myapp.js.map` file, exposing the source map of the `myapp.js` file.

2. Steps

• Avoid exposing source map files in a production environment.

• Store source map files in a secure location that is not accessible to the public.

• Implement access controls to restrict access to source map files.

• Consider obfuscating or minifying the code to make it harder for attackers to analyze.

• Regularly review and update the access controls and security measures for source map files.

• Consider using a build process that automatically removes or excludes source map files from the production deployment.

3. Secure code example

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class SourceMapServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        if(filename.endsWith(".map")) {...

The updated code includes a check to see if the requested file is a source map file (i.e., ends with ".map"). If it is, the server responds with a 404 Not Found error, effectively preventing the exposure of source map files. This is a simple and effective way to prevent the exposure of source map files, but it should be complemented with other security measures. For instance, source map files should be stored in a secure location that is not accessible to the public, and access controls should be implemented to restrict access to these files. Furthermore, consider obfuscating or minifying the code to make it harder for attackers to analyze. Regularly review and update the access controls and security measures for source map files. Also, consider using a build process that automatically removes or excludes source map files from the production deployment. Remember, security is not a one-time task but a continuous process. Always keep your security measures up-to-date and adapt them to the evolving threat landscape.