Skip to content

Source Map Code Leak

Source Map Code Leak


The application should provide as little explanatory information as possible with the compiled code. Metadata such as debugging information, line numbers, and descriptive function or method names make the binary or byte-code easier to reverse engineer.

The application leaks the source code through source map files used solely for debugging and development.

Source code can be fully retrieved with the following sample script:

import sys
import json
import os

filename = sys.argv[1]

map = json.load(open(filename, 'r'))

files = map['sources']
content = map['sourcesContent']

if len(files) != len(content):
    raise ValueError('not same lengths')

for f, c in zip(files, content):
    f = f.replace('../', '')
    if '/' in f:
        os.makedirs(os.path.dirname(f), exist_ok=True)
    with open(f, 'w') as o:

Leaking source code can help attackers easily forge malicious applications or understand the internals of the application to identify vulnerabilities.


Remove all source map files at build time.

For Ionic, ensure the ionic_generate_source_map is set to false.

If the build is generated from the command line, ensure the --generateSourceMap flag is set to false.


    • MSTG_CODE_3
    • MSTG_CODE_3
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3