Source Code Disclosure via Unminimized JavaScript File exposing application logic (index-Bsx76sIu.js) #207
Description
Summary
The AIxBlock web application at https://workflow-live.aixblock.io exposes an unminimized JavaScript file (assets/index-Bsx76sIu.js) containing sensitive source code, including API endpoints (e.g., /v1/copilot), AI provider configurations, model mappers (e.g., llamaMapper, mistralMapper), parsing logic, internationalization (ICU) implementations, and React application structure (e.g., App, QueryClientProvider). This disclosure allows attackers to reverse-engineer the application’s internals, identify attack surfaces, and potentially exploit additional vulnerabilities.
Description
During testing, an error state exposed the URL https://workflow-live.aixblock.io/assets/index-Bsx76sIu.js, which, when accessed, returns a human-readable JavaScript file. The file includes unminimized source code detailing:
API Endpoints: References to /v1/copilot for copilot settings management.
AI Provider Logic: Model mappers (e.g., commonImageMapper, llamaMapper) and provider configurations (e.g., AI_PROVIDERS for OpenAI, Replicate, AIxBlock).
Parsing and Formatting: ICU-related parsing logic (e.g., tryParsePluralOrSelectOptions, IntlMessageFormat) for dynamic content handling.
Application Structure: React components (e.g., App, ConfigureProviderDialog), query client setup (e.g., QueryClientProvider), and error handling (e.g., SetErrorFunction). This exposure violates security best practices by revealing internal implementation details, enabling attackers to map the API, understand data flow, and identify potential vulnerabilities (e.g., CSRF, IDOR, injection points). Although no hardcoded credentials were observed, the depth of exposed logic poses a significant risk.
Steps to Reproduce
Navigate to https://workflow-live.aixblock.io in a web browser.
Trigger an error state (e.g., submit an invalid POST /api/v1/flows request with a missing displayName field: {"projectId":"gQJEJtNvSSaVi6rzEkKmn"}).
Observe the browser’s network tab or developer console for references to https://workflow-live.aixblock.io/assets/index-Bsx76sIu.js.
Manually access https://workflow-live.aixblock.io/assets/index-Bsx76sIu.js in the browser or via curl https://workflow-live.aixblock.io/assets/index-Bsx76sIu.js.
Verify that the response contains unminimized JavaScript code, including API endpoints (search for copilotApi), model mappers (search for mapper), parsing logic (search for tryParse), and React components (search for App or QueryClientProvider).
Recommendations
Obfuscate JavaScript: Minify and obfuscate index-Bsx76sIu.js using tools like UglifyJS or Webpack with production settings to hide logic and endpoints.
Restrict Access: Serve the file with authentication or cache-control headers (e.g., Cache-Control: no-store, no-cache) to prevent public access.
Improve Error Handling: Ensure error states do not expose source file paths or unminimized code. Implement custom error pages and sanitize responses to avoid leaking asset references.
Audit Exposed Data: Conduct a thorough review of index-Bsx76sIu.js for any sensitive data (e.g., hardcoded keys, tokens) and remove or encrypt them.
Implement Content Security Policy (CSP): Deploy a CSP to detect and block unauthorized script loading, reducing the risk of exploitation.
Regular Security Audits: Periodically audit client-side assets to ensure no sensitive logic or data is exposed.
Impact
Information Disclosure: Attackers can reverse-engineer the application’s architecture, including API endpoints, data flow, and component interactions, facilitating targeted attacks.
Exploitation Enablement: Exposure of parsing logic, mappers, and endpoints increases the likelihood of successful CSRF, IDOR, or injection attacks by providing a detailed blueprint.
Data Breach Potential: If additional secrets (e.g., API keys, environment variables) are present elsewhere in the file, they could be extracted, leading to unauthorized API access or privilege escalation.
Operational Risk: Understanding React components and query client configurations could allow denial-of-service attacks or manipulation of user data flows.
Reputation Risk: Public disclosure of this vulnerability could damage trust in AIxBlock’s security posture.
CVSS Estimate: 7.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N) – High severity due to remote disclosure of confidential data with moderate attack complexity.