Description
In the conditional below, there seems to be a potential for production secrets to be written to disk:(
|
if (process.env.NODE_ENV === 'development') { |
|
user.secret = hash |
|
} else { |
|
const randomKey = cryptoRandomString({ length: CONSTANTS.CRYPTO_RANDOM_STRING_LENGTH }) |
|
user.secret = await argon2.hash(randomKey) |
|
|
|
// write each user's API key to file |
|
// necessary when standing up any new shared instance of the system |
|
const payload = { username: user.username, secret: randomKey } |
|
fs.writeFile(apiKeyFile, JSON.stringify(payload) + '\n', { flag: 'a' }, (err) => { |
|
if (err) { |
|
logger.error(error.fileWriteError(err)) |
|
mongoose.connection.close() |
|
} |
|
}) |
|
} |
)
This method writes the generated randomKey to disk with lines 76 and 77 if the environment is not development.
If this method were called in production, would it not write that plaintext key to disk?
Notes:
Any modifications/remediation must be implemented in Master Branch as a "hot fix" to CVE Service 1.1.1 in production as well as in the Dev Branch so that the changes make their way into CVE Services 2.x
Description
In the conditional below, there seems to be a potential for production secrets to be written to disk:(
cve-services/src/utils/data.js
Lines 68 to 83 in 6b085e4
This method writes the generated randomKey to disk with lines 76 and 77 if the environment is not development.
If this method were called in production, would it not write that plaintext key to disk?
Notes:
Any modifications/remediation must be implemented in Master Branch as a "hot fix" to CVE Service 1.1.1 in production as well as in the Dev Branch so that the changes make their way into CVE Services 2.x