Technical information leak - SourceMap
Need
Protection of sensitive technical information
Context
• Usage of Scala for building scalable and high-performance applications
• Usage of Play Framework for building scalable and reactive web applications
Description
1. Non compliant code
import sbt._
import PlayProject._
object ApplicationBuild extends Build {
    val appName         = "VulnerableApp"
    val appVersion      = "1.0-SNAPSHOT"
    val appDependencies = Seq(...The above code is a build configuration for a Scala application using the Play framework. The main vulnerability lies in the settings section where the source map files are exposed. The lines: ```scala lessEntryPoints <<= baseDirectory(_ / "app" / "assets" / "stylesheets" / "*.less"), javascriptEntryPoints <<= baseDirectory(_ / "app" / "assets" / "javascripts" / "*.js") ``` specify the entry points for the LESS and Javascript files. These entry points are exposed, meaning that the .map files generated during the transpilation of these files are accessible. The .map files are essentially a bridge between the transpiled code and the source code. They contain information about the original source files, including file names, line numbers, and even the original source code in some cases. By exposing these .map files, a malicious actor can easily analyze the application, understand its structure, and potentially exploit any vulnerabilities present in the source code. This is a serious information leak vulnerability that should be fixed to prevent potential attacks.
2. Steps
• Remove the configuration that exposes the source map files
• Ensure that the source map files are not accessible from the application's public directory
• Consider minifying and obfuscating the JavaScript and CSS files to make it harder for attackers to analyze the application
3. Secure code example
import sbt._
import PlayProject._
object ApplicationBuild extends Build {
    val appName         = "VulnerableApp"
    val appVersion      = "1.0-SNAPSHOT"
    val appDependencies = Seq(...The original code was exposing the source map files for the application, which could potentially allow a malicious actor to analyze the application and exploit any vulnerabilities found. This is a serious security risk, as it could lead to unauthorized access, data breaches, and other negative impacts. The fixed code removes the configuration that was exposing these source map files. This is done by commenting out the `lessEntryPoints` and `javascriptEntryPoints` lines in the `PlayProject` settings. This ensures that the source map files are not accessible from the application's public directory. In addition to this, it is recommended to consider minifying and obfuscating the JavaScript and CSS files. This makes it harder for attackers to analyze the application, as the code is less readable and more difficult to understand. This can be done using various tools and libraries available for Scala and the Play framework. By implementing these changes, the application becomes more secure and less vulnerable to potential attacks.
References
• 236. Technical information leak - SourceMap