Skip to main content

Source code disclosure

Description

The source code for the current page was disclosed by the web server.

Remediation

Ensure that .git, .svn, .htaccess metadata files are not deployed to the web server or application server, or cannot be accessed.

GraphQL Specific

Apollo

To prevent source code disclosure in the Apollo framework engine, ensure that proper access controls are in place to restrict unauthorized users from accessing sensitive files. Configure your web server to deny direct access to source code files and serve only the necessary assets to the client. Additionally, implement a robust authentication and authorization mechanism to protect against unauthorized access to application endpoints that could potentially expose source code. Regularly review and update your security configurations to keep up with the latest best practices.

Yoga

To prevent source code disclosure in the Yoga framework engine, ensure that proper access controls are in place to restrict unauthorized users from accessing application source code. Configure the web server to serve only the necessary files and directories. Additionally, implement security measures such as input validation, output encoding, and the use of security headers to mitigate the risk of source code exposure through other vulnerabilities.

Awsappsync

To prevent source code disclosure in AWS AppSync, ensure that all GraphQL resolvers are properly configured to avoid exposing implementation details. Implement strict access controls using AWS Identity and Access Management (IAM) to restrict who can view and modify the AppSync APIs and resolvers. Regularly review and update your security policies to adhere to the principle of least privilege. Additionally, enable logging and monitoring through AWS CloudTrail and Amazon CloudWatch to detect and respond to any unauthorized access attempts. Always use environment variables for sensitive information instead of hardcoding them into your resolvers or schema.

Graphqlgo

To prevent source code disclosure in a GraphQL Go framework engine, ensure that error messages are generic and do not reveal stack traces or code snippets to the client. Implement proper error handling that catches exceptions and logs them internally without exposing sensitive information. Additionally, configure the server to run in a production mode that suppresses detailed errors, and regularly audit your code and dependencies for vulnerabilities.

Graphqlruby

To prevent source code disclosure in the GraphQL Ruby framework, ensure that detailed errors are not exposed to clients. Configure the GraphQL::ExecutionError to handle exceptions and provide generic error messages to the users. Additionally, restrict access to the GraphiQL IDE in production and review the config.interpreter settings to disable introspection queries if necessary. Always use environment variables for sensitive information and never hard-code secrets. Keep the framework and its dependencies up-to-date with the latest security patches.

Hasura

To prevent source code disclosure in the Hasura framework engine, ensure that proper access controls are in place to restrict unauthorized access to the GraphQL endpoint. Configure role-based permissions meticulously, and avoid exposing sensitive information in error messages or logs. Regularly audit your configurations and update the Hasura engine to incorporate the latest security patches and features.

Configuration

Identifier: information_disclosure/code

Options

  • size_threshold : The threshold size indicating whether a response is small or not.
  • diff_threshold : The percentage by which 2 responses can differ and still be considered identical.
  • small_response_diff_threshold : The percentage by which 2 small responses can differ and still be considered identical.

Examples

Ignore this check

checks:
information_disclosure/code:
skip: true

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API7:2023

  • pci: 6.5.4

  • gdpr: Article-32

  • soc2: CC6

  • psd2: Article-95

  • iso27001: A.14.1

  • nist: SP800-53

  • fedramp: AC-4

Classification

  • CWE: 200

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References