Information Leakage / Source Map Code Leak

Description

Source Map Code Leak is an Information Leakage vulnerability (CWE-200) where application source code or any other configuration or sensitive data is exposed in source maps. Source maps are used to map JavaScript to its original source code, which can be used to debug applications. Source map code leakage can be found in mobile apps and iOS applications. It can also be found in web applications. According to the OWASP Testing Guide, source map code leakage can be identified by examining the source map file itself or by examining the network requests sent by the application.

Risk

The risk associated with Source Map Code Leak is high as it may lead to leakage of sensitive information, including but not limited to application source code, API keys, passwords, and other sensitive data. This information can be used by an attacker to gain access to an application, launch an attack, or steal user data.

Solution

The solution to Source Map Code Leak is to ensure that source maps are not exposed in the production environment. This can be accomplished by adding appropriate checks and validations in the application code to ensure that source maps are only made available in the development environment. Additionally, the source maps should be removed from the production environment as soon as the development is complete.

Example

The following is an example of Source Map Code Leak from CVE-2020-7140. The vulnerability exists in an iOS application that has a source map file that contains the source code of the application and is accessible to the public.

https://example.com/js/app.js.map