Finding: .env Information Leak

GSA / ai-experience-sharing-platform

This is the source code for the CoE AI Platform (Use Case Library and other content).

Other

11 stars 2 forks source link

Finding: .env Information Leak #343

Open danielnaab opened 3 years ago

danielnaab commented 3 years ago

One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information.

Recommendation: Ensure the .env file is not accessible.

.env files do no appear to be available, but consider the specific examples given in more depth.

rrkane10x commented 3 years ago

Not a big issue. Need to address that this is an acceptable practice. Requires justification back to pentesting analyst. @taylor-work to confirm what the issue is with data showing for .env.

taylor-work commented 3 years ago

https://github.com/GSA/ai-experience-sharing-platform/pull/347 addresses to ensure we always return the SPA index for 404 scenarios.