Storage of sensitive information in build artifact¶
ID: js/build-artifact-leakKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-312 - external/cwe/cwe-315 - external/cwe/cwe-359Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Sensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.
Recommendation¶
Only store information that is meant to be publicly available in a build artifact.
Example¶
The following example creates awebpack configuration that inserts all environment variables from the host into the build artifact:
constwebpack=require("webpack");module.exports=[{plugins:[newwebpack.DefinePlugin({"process.env":JSON.stringify(process.env)})]}];
The environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.
The issue has been fixed below, where only theDEBUG environment variable is inserted into the artifact.
constwebpack=require("webpack");module.exports=[{plugins:[newwebpack.DefinePlugin({'process.env':JSON.stringify({DEBUG:process.env.DEBUG})})]}];
References¶
webpack:DefinePlugin API.
Common Weakness Enumeration:CWE-312.
Common Weakness Enumeration:CWE-315.
Common Weakness Enumeration:CWE-359.