Skip to main content

Technical information leak - Logs

Need

Prevention of unauthorized access to system logs

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and APIs
  • Usage of fs for file system operations

Description

Non compliant code

import express from 'express';
import fs from 'fs';

const app = express();

// Vulnerable route that displays the system log
app.get('/system-log', (req, res) => {
  const logData = fs.readFileSync('system.log', 'utf8');
  res.send(logData);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The vulnerability in this code is that it exposes the system log to users who can access the '/system-log' route.

In the code, the 'express' and 'fs' modules are imported. The 'express' module is used to create an instance of the Express application, and the 'fs' module is used to read the system log file.

The vulnerable route is defined with the path '/system-log'. When a user makes a GET request to this route, the system log file ('system.log') is read using the 'fs.readFileSync' function. The log data is then sent back as the response to the user.

The impact of this vulnerability is that any user who can access the '/system-log' route can view the contents of the system log file. This can potentially expose sensitive information about the system, such as error messages, debugging information, or even credentials.

The recommended fix for this vulnerability is to avoid exposing system information in files that can be accessed by third parties. In this case, the system log file should not be directly accessible through a route. Instead, access to the system log should be restricted to authorized users or logged in administrators.

Steps

  • Move the system log file to a location that is not accessible by the public.
  • Update the route '/system-log' to read the log file from the new location.
  • Implement authentication and authorization to restrict access to the system log.
  • Consider implementing a logging framework that provides better control over the information logged.

Compliant code

import express from 'express';
import fs from 'fs';
import path from 'path';

const app = express();

// Move the system log file to a location that is not accessible by the public
const logFilePath = path.join(__dirname, 'logs', 'system.log');

// Vulnerable route that displays the system log
app.get('/system-log', (req, res) => {
  // Implement authentication and authorization to restrict access to the system log
  // Add your authentication and authorization logic here

  // Read the log file from the new location
  const logData = fs.readFileSync(logFilePath, 'utf8');
  res.send(logData);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

In the fixed code, several measures have been taken to address the vulnerability of technical information leakage through logs.

  1. The code imports the necessary modules: express, fs, and path.

  2. The application creates an instance of the Express framework using express().

  3. The system log file is moved to a location that is not accessible by the public. The logFilePath variable is set to the path of the log file, which is joined with the current directory and the 'logs' folder.

  4. The vulnerable route that displays the system log is defined using app.get('/system-log', ...). However, the code comments indicate that authentication and authorization logic should be implemented to restrict access to the system log. This means that only authorized users should be able to access the log.

  5. Inside the route handler, the log file is read using fs.readFileSync(logFilePath, 'utf8'). This reads the contents of the log file as a string.

  6. The log data is sent as the response using res.send(logData).

  7. The application listens on port 3000 using app.listen(3000, ...), indicating that the server is running.

By moving the system log file to a location that is not accessible by the public and implementing authentication and authorization logic, the fixed code ensures that only authorized users can access the log. This helps to prevent information leakage and potential attacks based on the knowledge gained from the log messages.

References

Last updated on