Security: Exposed Source Map Review

[lachlan-robinson]

Exposed JavaScript Source Map Review

Lachlan Robinson (220325142)

Summary of Finding

The audit conducted by AppAttack identified that the main.js.map file was accessible to
unauthenticated users at http://172.18.0.1:4200/main.js.map. As noted, source maps expose original
source code structures and may lead to reverse engineering or disclosure of sensitive implementation
details.

Assessment and Remediation Status

We acknowledge this as a valid concern and appreciate the identification. However, it is important
to clarify that:

• The main.js.map file is only present in development builds of the application.

"development": {
              "optimization": false,
              "extractLicenses": false,
              "sourceMap": true
            }

• In our deployment process, production builds are created using the Angular CLI with the
  --configuration production flag, which disables the generation and exposure of source maps by
  default.

"production": {
              "budgets": [
                {
                  "type": "anyComponentStyle",
                  "maximumWarning": "6kb"
                }
              ],
              "fileReplacements": [
                {
                  "replace": "src/environments/environment.ts",
                  "with": "src/environments/environment.prod.ts"
                },
                {
                  "replace": "src/app/config/constants/apiURL.ts",
                  "with": "src/app/config/constants/apiURL.prod.ts"
                }
              ],
              "optimization": true,
              "outputHashing": "bundles",
              "sourceMap": false,
              "extractLicenses": true,
              "serviceWorker": "ngsw-config.json"
            },

• Therefore, in production environments, this file is not present, and the application does not
  expose source maps publicly.

Recommendation for Retesting

For future vulnerability assessments, we recommend that penetration testing be performed against a
production-equivalent build of the front-end application. This ensures the test environment mirrors
the real-world deployment configuration and avoids false positives related to development-only
artifacts.

[theiris6]

The review document is generally well-structured and correctly addresses the source map exposure finding with appropriate evidence. The response acknowledges the finding while providing context about development vs. production environments.

[ibi420]

Hello @lachlan-robinson, Your documentation directly identifies the source of the false positive and shows why it was occurring. Your documentation is well structured and follows Doubtfire's guidelines and is in the appropriate format. Thank you for giving me a chance to review your work.

[atharv02-git]

Hi @lachlan-robinson , Just went through your work and below are my key takeaways:

• Your resolution addresses the issue of the exposed JavaScript source map, and your response provided a clear explanation of how the problem is mitigated in the production build.
• You've correctly pointed out that the source map is only exposed in development builds and it is properly set to sourcemap: false in the production flag which effectively prevents source maps from being generated in production.
• Your documentation is weel-written and effectively conveys your appraoch, one thing here I would like you to add as well to provide a step-by-step guide on how to validate the vulnerability.

Step-by-step Guide for verifying Exposed Source Maps:

I believe the below steps will further strengthen the resolution by ensuring that the source maps are indeed excluded in production builds.

Step 1: Go to the package.json file, and in the scripts section, ensure that the build:angular17 script includes the production flag for the build process:
Before:

After:

Step 2: Then go to doubtfire-web and build your app normally using npm start.

Step 3: The image on the left shows the exposed JavaScript source map (main.js.map) in development mode, while the image on the right indicates that in production mode, the source map is not accessible (resulting in a "Cannot GET" error).

I support Lachlan's recommendation for retesting with a production build to avoid any false positives. Keep up the great work 🫡

[DarrylO21]

Hi @lachlan-robinson, I’ve reviewed your response to the exposed JavaScript source map finding and I can confirm that the issue does not persist in production builds. The provided configuration and explanation clearly outlines that the main.js.map file is correctly excluded from production due to the Angular CLI configuration using the --configuration production flag, where "sourceMap": false is explicitly set.

Your clarification effectively demonstrates that this is a development-only artifact and not a vulnerability in deployed environments. Thank you for the thorough explanation and the recommendation to align future testing environments with production configurations to avoid such false positives.

Best regards,
Darryl
PT and SCR Senior Lead, AppAttack

[aNebula]

LGTM