Source code disclosure¶

Description¶

The source code for the current page was disclosed by the web server.

Remediation¶

Ensure that .git, .svn, .htaccess metadata files are not deployed to the web server or application server, or cannot be accessed.

GraphQL Specific¶

Apollo

To prevent source code disclosure in the Apollo framework engine, ensure that proper access controls are in place to restrict unauthorized users from accessing sensitive files. Configure your web server to deny direct access to source code files and serve only the necessary assets to the client. Additionally, implement a robust authentication and authorization mechanism to protect against unauthorized access to application endpoints that could potentially expose source code. Regularly review and update your security configurations to keep up with the latest best practices.

Yoga

To prevent source code disclosure in the Yoga framework engine, ensure that proper access controls are in place to restrict unauthorized users from accessing application source code. Configure the web server to serve only the necessary files and directories. Additionally, implement security measures such as input validation, output encoding, and the use of security headers to mitigate the risk of source code exposure through other vulnerabilities.

Awsappsync

To prevent source code disclosure in AWS AppSync, ensure that all GraphQL resolvers are properly configured to avoid exposing implementation details. Implement strict access controls using AWS Identity and Access Management (IAM) to restrict who can view and modify the AppSync APIs and resolvers. Regularly review and update your security policies to adhere to the principle of least privilege. Additionally, enable logging and monitoring through AWS CloudTrail and Amazon CloudWatch to detect and respond to any unauthorized access attempts. Always use environment variables for sensitive information instead of hardcoding them into your resolvers or schema.

Graphqlgo

To prevent source code disclosure in a GraphQL Go framework engine, ensure that error messages are generic and do not reveal stack traces or code snippets to the client. Implement proper error handling that catches exceptions and logs them internally without exposing sensitive information. Additionally, configure the server to run in a production mode that suppresses detailed errors, and regularly audit your code and dependencies for vulnerabilities.

Graphqlruby

To prevent source code disclosure in the GraphQL Ruby framework, ensure that detailed errors are not exposed to clients. Configure the `GraphQL::ExecutionError` to handle exceptions and provide generic error messages to the users. Additionally, restrict access to the GraphiQL IDE in production and review the `config.interpreter` settings to disable introspection queries if necessary. Always use environment variables for sensitive information and never hard-code secrets. Keep the framework and its dependencies up-to-date with the latest security patches.

Hasura

To prevent source code disclosure in the Hasura framework engine, ensure that proper access controls are in place to restrict unauthorized access to the GraphQL endpoint. Configure role-based permissions meticulously, and avoid exposing sensitive information in error messages or logs. Regularly audit your configurations and update the Hasura engine to incorporate the latest security patches and features.

Agoo

Ensure proper configuration of the Agoo framework to prevent source code disclosure by disabling directory listing and restricting access to sensitive files.

Ariadne

Ensure proper access controls and permissions are configured to prevent unauthorized access to source code in the Ariadne framework engine.

Caliban

Ensure proper access controls and permissions are configured to prevent unauthorized access to source code in the Caliban framework engine.

Dgraph

Ensure proper access controls and permissions are set to prevent unauthorized access to source code files in the Dgraph framework.

Dianajl

Implement access controls to restrict direct access to source code files in the DianaJL framework engine.

Directus

Ensure proper file permissions and configure the web server to prevent direct access to source code files in the Directus framework.

Flutter

Ensure that the Flutter application is built in release mode before deployment to prevent source code disclosure.

Graphene

Ensure that the Graphene framework is configured to disable debug mode in production to prevent source code disclosure.

Graphqlapiforwp

Implement proper access controls and authentication mechanisms to prevent unauthorized access to the GraphQL API and ensure sensitive data is not exposed.

Graphqlgophergo

Implement proper access controls and validation checks to prevent unauthorized access to source code in the GraphQLGopherGo framework.

Graphqljava

Implement proper access controls and validation to prevent unauthorized access to the GraphQL schema and ensure sensitive information is not exposed.

Graphqlphp

Ensure proper access controls and authentication mechanisms are in place to prevent unauthorized access to the GraphQL endpoint.

Graphqlyoga

Implement proper access controls and configure the server to prevent unintended exposure of source code files.

Hypergraphql

Ensure proper configuration of the server to prevent accidental exposure of source code by disabling directory listing and using appropriate file permissions.

Jaal

Implement proper access controls and configure the web server to prevent unauthorized access to source code files in the Jaal framework engine.

Juniper

Implement proper access controls and configure the web server to prevent unauthorized access to source code files in the Juniper framework engine.

Lacinia

Ensure proper configuration of the Lacinia framework to prevent source code disclosure by disabling directory listing and restricting access to sensitive files.

Lighthouse

Ensure proper server configuration to prevent source code disclosure by disabling directory listing and using appropriate file permissions.

Mercurius

Ensure proper configuration of the Mercurius framework to prevent source code disclosure by disabling directory listing and implementing access controls.

Morpheusgraphql

Implement access controls to restrict unauthorized access to source code files in the MorpheusGraphQL framework engine.

Qglgen

Ensure that the qglgen framework is configured to prevent source code disclosure by properly setting file permissions and disabling directory listing on the web server.

Sangria

Ensure proper configuration of the Sangria framework to prevent source code disclosure by disabling detailed error messages and securing server settings.

Shopify

Ensure that the Shopify Liquid templates do not expose sensitive logic or data by using proper access controls and reviewing template code for any potential leaks.

Stepzen

Ensure that the server is configured to prevent directory listing and disable any debug or verbose error messages that might reveal source code details.

Strawberry

Ensure proper configuration of the Strawberry Framework engine to prevent source code disclosure by disabling directory listing and restricting access to sensitive files.

Tartiflette

Ensure proper access controls and permissions are configured to prevent unauthorized access to source code in the Tartiflette framework engine.

Wpgraphql

Ensure proper access controls and permissions are configured to prevent unauthorized access to the source code in the WPGraphQL framework.

Configuration¶

Identifier: information_disclosure/code

Options¶

size_threshold : The threshold size indicating whether a response is small or not.
diff_threshold : The percentage by which 2 responses can differ and still be considered identical.
small_response_diff_threshold : The percentage by which 2 small responses can differ and still be considered identical.

Examples¶

Ignore this check¶

checks:
  information_disclosure/code:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API7:2023
OWASP LLM: LLM06:2023
pci: 6.5.4
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.14.1
nist: SP800-53
fedramp: AC-4

Classification¶

CWE: 200

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
CVSS_SCORE: 7.2

References¶

https://www.zaproxy.org/docs/alerts/41/