Skip to content

Latest commit

 

History

History
114 lines (89 loc) · 8.4 KB

mitigations.md

File metadata and controls

114 lines (89 loc) · 8.4 KB

Mitigation Strategies Analysis for vercel/next.js

Mitigation Strategy: Strict Environment Variable Management (Next.js Specific)

  • Description:

    1. NEXT_PUBLIC_ and SERVER_ONLY_ Prefixes: Enforce a strict naming convention. All client-side environment variables must use the NEXT_PUBLIC_ prefix. All server-side-only variables must use a custom prefix like SERVER_ONLY_.
    2. Centralized Access (Next.js Context): Create a module (e.g., config.js) that imports process.env. This module selectively exports only the intended client-side variables (those with NEXT_PUBLIC_) through clearly named functions or constants. Client components never directly access process.env.
    3. Build-Time Validation (Next.js Build Process): Integrate a script into the Next.js build process (using prebuild or build in package.json). This script:
      • Runs after the Next.js build completes.
      • Analyzes the generated client-side bundles (in the .next directory).
      • Uses a regular expression (or AST parsing) to search for any usage of SERVER_ONLY_ prefixed variables within these bundles.
      • If found, the build fails with a descriptive error.
    4. Runtime Validation (_app.js): Within _app.js (or a custom server), before any rendering, include a script that:
      • On the server (typeof window === 'undefined'), checks for the presence of required SERVER_ONLY_ variables.
      • On the client (typeof window !== 'undefined'), checks for the absence of SERVER_ONLY_ variables.
      • Throws an error or prevents rendering if validation fails.

  • Threats Mitigated:

    • Client-Side Exposure of Secrets (High Severity): Prevents accidental leakage of server-side secrets (API keys, etc.) to the client due to incorrect usage of Next.js's environment variable handling.
    • Next.js Configuration Errors (Medium Severity): Reduces the risk of deploying a Next.js application with misconfigured environment variables, leading to unexpected behavior.

  • Impact:

    • Client-Side Exposure of Secrets: Risk significantly reduced (near zero with full implementation). The multi-layered approach leverages Next.js's build process and runtime environment.
    • Next.js Configuration Errors: Risk significantly reduced. Early detection during build and runtime prevents deployment of misconfigured applications.

  • Currently Implemented:

    • Prefixes: Partially (inconsistent use of SERVER_ONLY_).
    • Centralized Access: Not implemented.
    • Build-Time Validation: Not implemented.
    • Runtime Validation: Not implemented.

  • Missing Implementation:

    • Consistent SERVER_ONLY_ prefixing.
    • config.js module creation.
    • Build-time validation script.
    • Runtime validation in _app.js.

Mitigation Strategy: SSRF Prevention in Next.js Data Fetching Functions

  • Description:

    1. URL Allowlist (Next.js Config): Maintain a strict allowlist of permitted domains and URL prefixes within the Next.js configuration (or carefully managed environment variables). This list is used exclusively by getStaticProps, getStaticPaths, and getServerSideProps.
    2. URL Validation (within Data Fetching): Inside getStaticProps, getStaticPaths, and getServerSideProps, use the built-in URL object (or a similar library) to parse all URLs before making any external requests.
    3. Allowlist Enforcement: Before fetching data, compare the parsed URL's hostname and path against the allowlist. Reject the request if it doesn't match.
    4. Avoid Direct User Input (in URL Construction): Within these data fetching functions, never directly construct URLs from user-supplied input. Instead, use user input as keys to look up pre-defined, safe URLs from a configuration or database. If user input must be used, sanitize it rigorously before using it in any URL-related logic.

  • Threats Mitigated:

    • Server-Side Request Forgery (SSRF) in getStaticProps, getStaticPaths, getServerSideProps (High Severity): Prevents attackers from exploiting these Next.js server-side functions to access internal resources or make unauthorized requests.

  • Impact:

    • SSRF: Risk significantly reduced. By strictly controlling the URLs accessed by these Next.js functions, the attack surface is minimized.

  • Currently Implemented:

    • URL Allowlist: Not implemented.
    • URL Validation: Partially (inconsistent).
    • Allowlist Enforcement: Not implemented.
    • Avoid Direct User Input: Partially.

  • Missing Implementation:

    • Allowlist creation.
    • Consistent URL parsing.
    • Allowlist check implementation.
    • Refactoring to avoid direct user input in URLs.

Mitigation Strategy: Safe Redirects with Next.js

  • Description:

    1. Prefer Relative Redirects (Next.js redirect): When using the redirect object in getStaticProps, getServerSideProps, or next.config.js, always prefer relative paths (e.g., /login) over absolute URLs.
    2. URL Allowlist (for External Redirects - Next.js Config): If external redirects are unavoidable, maintain an allowlist of permitted domains within the Next.js configuration.
    3. Validation (within Redirect Logic): Before performing any redirect (using the redirect object), validate the destination URL:
      • If it's a relative path, no further validation is needed.
      • If it's an absolute URL, use the URL object to parse it and check if the hostname matches the allowlist.
    4. Avoid User Input (in Redirect Destinations): Do not use user-supplied data directly to construct the destination property of the redirect object. Use server-side logic or a lookup table.

  • Threats Mitigated:

    • Open Redirects using Next.js redirect (Medium Severity): Prevents attackers from using the Next.js redirect functionality to redirect users to malicious sites.

  • Impact:

    • Open Redirects: Risk significantly reduced. Prioritizing relative redirects and validating absolute URLs against an allowlist effectively mitigates this vulnerability.

  • Currently Implemented:

    • Relative Redirects: Partially.
    • URL Allowlist: Not implemented.
    • Validation: Not implemented.
    • Avoid User Input: Partially.

  • Missing Implementation:

    • Consistent use of relative redirects.
    • Allowlist for external redirects.
    • Validation logic for all redirects.
    • Refactoring to avoid user input.

Mitigation Strategy: Migrate from getInitialProps (Next.js Deprecation)

  • Description:

    1. Identify: Search the entire codebase for any usage of getInitialProps.
    2. Refactor (to Next.js Recommended Methods): Replace every instance of getInitialProps with either getServerSideProps (for server-side rendering on each request) or getStaticProps (for static generation at build time). Choose the appropriate method based on the component's data requirements.
    3. Testing (Post-Migration): After refactoring, thoroughly test all affected components to ensure they function correctly and that no data is unintentionally exposed to the client. This is crucial because getInitialProps runs on both the server and client, while the replacements have clear server/client separation.

  • Threats Mitigated:

    • Data Exposure due to getInitialProps Misuse (High Severity): Eliminates the risk of accidentally exposing sensitive data to the client by using the deprecated getInitialProps method, which has ambiguous execution context.

  • Impact:

    • Data Exposure: Risk eliminated by migrating to getServerSideProps and getStaticProps, which have clearly defined server-side execution.

  • Currently Implemented:

    • Identify: Not performed.
    • Refactor: Not performed.
    • Testing: Not performed.

  • Missing Implementation:

    • Codebase search for getInitialProps.
    • Complete refactoring to getServerSideProps or getStaticProps.
    • Thorough testing after migration.