Unverifiable files

Need

Ensure verifiability of files in the repository

Context

• Usage of JavaScript for developing modern web applications

• The repository stores files that cannot be verified because their content is not compatible with their extension

• The repository stores files that cannot be verified because their content is opaque and difficult to inspect.

Description

1. Non compliant code

/my-project
  │── /static/
    jquery.min.js
    MyProgram.class
    maven.wrapper.jar
  │── /src/
    main.js
    index.html

In this example, we have a repository with an "static/" directory in which we have files that cannot be verified by scanners because the content is obfuscated or does not correspond to its extension.

2. Steps

• Validate the file extension before saving it to the repository

• Filter out files that cannot be verified by scanners

3. Secure code example

/my-project
  │── .gitignore
    static/.*.min.js
    static/.*.class
    static/.*.jar
  │── /src/
    main.js
  │── /static/...

In this case, uncheckable files were ignored in the .gitignore file to prevent them from being uploaded to the repository.

References

• 117. Unverifiable files

On this page