Skip to content

Security: Exposed Source Map Review #596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 13, 2025
Merged

Security: Exposed Source Map Review #596

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions docs/OnTrack/Security Analysis/exposed-sourcemap-review.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Exposed JavaScript Source Map Review

_Lachlan Robinson (220325142)_

## Summary of Finding

The audit conducted by AppAttack identified that the main.js.map file was accessible to
unauthenticated users at http://172.18.0.1:4200/main.js.map. As noted, source maps expose original
source code structures and may lead to reverse engineering or disclosure of sensitive implementation
details.

## Assessment and Remediation Status

We acknowledge this as a valid concern and appreciate the identification. However, it is important
to clarify that:

- The main.js.map file is only present in development builds of the application.

```
"development": {
"optimization": false,
"extractLicenses": false,
"sourceMap": true
}
```

- In our deployment process, production builds are created using the Angular CLI with the
--configuration production flag, which disables the generation and exposure of source maps by
default.

```
"production": {
"budgets": [
{
"type": "anyComponentStyle",
"maximumWarning": "6kb"
}
],
"fileReplacements": [
{
"replace": "src/environments/environment.ts",
"with": "src/environments/environment.prod.ts"
},
{
"replace": "src/app/config/constants/apiURL.ts",
"with": "src/app/config/constants/apiURL.prod.ts"
}
],
"optimization": true,
"outputHashing": "bundles",
"sourceMap": false,
"extractLicenses": true,
"serviceWorker": "ngsw-config.json"
},
```

- Therefore, in production environments, this file is not present, and the application does not
expose source maps publicly.

![](./img/exposedmaptest.jpg)

## Recommendation for Retesting

For future vulnerability assessments, we recommend that penetration testing be performed against a
production-equivalent build of the front-end application. This ensures the test environment mirrors
the real-world deployment configuration and avoids false positives related to development-only
artifacts.
Binary file added docs/OnTrack/Security Analysis/img/exposedmaptest.jpg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.