Skip to content

Source Map Code Leak

Source Map Code Leak

Description

The application should provide as little explanatory information as possible with the compiled code. Metadata such as debugging information, line numbers, and descriptive function or method names make the binary or byte-code easier to reverse engineer.

The application leaks the source code through source map files used solely for debugging and development.

Source code can be fully retrieved with the following sample script:

import sys
import json
import os

filename = sys.argv[1]

map = json.load(open(filename, 'r'))

files = map['sources']
content = map['sourcesContent']

if len(files) != len(content):
    raise ValueError('not same lengths')

for f, c in zip(files, content):
    f = f.replace('../', '')
    print(f)
    if '/' in f:
        os.makedirs(os.path.dirname(f), exist_ok=True)
    with open(f, 'w') as o:
        o.write(c)

Leaking source code can help attackers easily forge malicious applications or understand the internals of the application to identify vulnerabilities.

Recommendation

To remove source map files at build time, follow the corresponding guide:

React Native:

On Android, source maps are enabled but not generated by default. However, they're only generated when hermesFlags are present in android/app/build.gradle and -output-source-map option is set.

On iOS, source maps are disabled by default.

Ionic:

To exclude sourcemap files from Ionic application builds, set ionic_generate_source_map to false in you package.json file

"dependencies": {
   ...
}
"config": {
   "ionic_generate_source_map": "false",
},

Alternatively, If the build is generated from the command line, ensure the --generateSourceMap flag is set to false.

Native iOS/Android:

Source map files are generally not used in native iOS and Android development. However, if you're using any tools or libraries that generate source maps, ensure that they are configured to exclude source map generation for release builds.

Other frameworks:

For other frameworks like PhoneGap or Cordova, sourcemap files are not generated by default. However, if you're using additional tools or plugins that generate source maps, you'll need to configure them to exclude source map generation for production builds.

Standards

  • OWASP_MASVS_L1:
    • MSTG_CODE_3
  • OWASP_MASVS_L2:
    • MSTG_CODE_3
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3
  • OWASP_MASVS_v2_1:
    • MASVS_STORAGE_2
    • MASVS_RESILIENCE_2
    • MASVS_RESILIENCE_3
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5