CodeQL documentation

Storage of sensitive information in build artifact

ID: js/build-artifact-leak
Kind: path-problem
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-312
   - external/cwe/cwe-315
   - external/cwe/cwe-359
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Sensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.

Recommendation

Only store information that is meant to be publicly available in a build artifact.

Example

The following example creates a webpack configuration that inserts all environment variables from the host into the build artifact:

const webpack = require("webpack");

module.exports = [{
    plugins: [
        new webpack.DefinePlugin({
            "process.env": JSON.stringify(process.env)
        })
    ]
}];

The environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.

The issue has been fixed below, where only the DEBUG environment variable is inserted into the artifact.

const webpack = require("webpack");

module.exports = [{
    plugins: [
        new webpack.DefinePlugin({
            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })
        })
    ]
}];

References