Typescript Insecure Sensitive Information File Storage
Description
This detector identifies TypeScript code that writes sensitive information to files using insecure file system operations. It flags file write operations that may expose sensitive data through inadequate file permissions, unencrypted storage, or other security weaknesses that could lead to unauthorized access to confidential information.
Detection Strategy
• Scans TypeScript files for file system write operations using the 'fs' module or its aliases
• Identifies method calls ending with file write operations (like writeFile, writeFileSync, appendFile, etc.) and stream write methods (write, writeln)
• Evaluates each write operation to determine if it involves unsafe file storage practices that could expose sensitive information
• Reports vulnerabilities when file write operations are deemed unsafe based on security analysis of the file system usage context
Vulnerable code example
import * as fs from 'fs';
const creditCardNumber = "4532-1234-5678-9012";
const cvv = "123";
// VULNERABLE: Writing PCI data in cleartext
fs.writeFileSync("card.txt", creditCardNumber);
fs.appendFileSync("cvv.txt", cvv); // CVV must never be stored✅ Secure code example
import * as fs from 'fs';
import * as crypto from 'crypto';
const creditCardNumber = "4532-1234-5678-9012";
const cvv = "123";
// SECURE: Mask PCI data before storage
const maskedCard = "**** **** **** " + creditCardNumber.slice(-4);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.