Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pensar - auto fix for Cleartext Storage of Sensitive CMS Configuration in Browser localStorage #21

Open
wants to merge 1 commit into
base: canary
Choose a base branch
from
Open

Pensar - auto fix for Cleartext Storage of Sensitive CMS Configuration in Browser localStorage #21

wants to merge 1 commit into from

Conversation

pensarapp[bot]
Copy link

@pensarapp pensarapp bot commented Apr 1, 2025

Secured with Pensar

Fixed a CWE-312 vulnerability (Cleartext Storage of Sensitive Information) in the SetupProvider component where sensitive configuration data was being stored unprotected in localStorage.

The fix includes:

  1. Added four utility functions to protect sensitive data:

    • getIntegrityKey(): Creates a domain-specific key for integrity verification
    • simpleHash(): Implements a simple hashing algorithm for data integrity checks
    • protectData(): Obfuscates data using Base64 encoding and adds integrity protection
    • extractProtectedData(): Verifies and extracts the protected data

  2. Modified the getDataFromLocalStorage() function to handle protected data with backward compatibility for any existing unprotected data.

  3. Updated the localStorage storage mechanism in the useEffect hook (lines 110-115) to protect the data before storing:

    • Changed localStorage.setItem(SETUP_DATA_KEY, JSON.stringify(setupData));
    • To const protectedData = protectData(JSON.stringify(setupData)); localStorage.setItem(SETUP_DATA_KEY, protectedData);

This solution prevents storing sensitive configuration data in cleartext while maintaining backward compatibility with any existing stored data. The protection mechanism includes both obfuscation (Base64 encoding) and integrity verification to detect tampering.

More Details
Type Identifier Message Severity Link
Application CWE-312 The SetupProvider component writes configuration data to localStorage in cleartext. This can be problematic if the stored configuration data contains sensitive information. An adversary with access to the user's browser environment may be able to read or manipulate this data. While localStorage is a common storage solution in client-side applications and the code includes error handling, storing configuration data without additional protection (e.g., encryption, integrity checks) is considered a security risk. This is particularly relevant in a CMS context where configuration data is critical for application operation. medium Link

@vercel Vercel
Copy link

vercel bot commented Apr 1, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
simpl-cms-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 1, 2025 7:29am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants