0sensitive data exposer(high frontend/src/hooks/admin/model/useGetCataModel.ts #367
Description
Security Analysis Report
- Sensitive Data Exposure (High Severity)
a. Vulnerability Type
Sensitive Data Exposure / Hardcoded Credentials (via Client-Side Model Definition).
b. Explanation
The TypeScript type definition TModel includes a field named docker_access_token. This implies that a highly sensitive credential—a Docker access token—is being fetched from the backend and stored in the client-side state (catalog and models).
Access tokens grant permissions and should never be exposed to the client browser unless absolutely necessary for an immediate, client-initiated operation (which is rare and highly discouraged). Exposing this token makes it vulnerable to theft via XSS, man-in-the-middle attacks, or simple inspection of network traffic or browser memory, allowing an attacker to potentially access or manipulate the associated Docker registry.
c. Problematic Line(s) of Code
// In TModel definition
docker_access_token: string;
d. Corrected, Secure Code Snippet
The sensitive field must be removed from the client-side model definition. The backend API must be modified to ensure this field is never included in the response payload sent to the client.
export type TModel = {
id: number;
name: string;
type: string;
price: number;
port: string;
model_desc: string;
ml_id: number;
config: string;
catalog_id: number;
order: number;
file: string;
infrastructure_id: string;
image_dockerhub_id: string;
ip_address: string;
checkpoint_storage_id: string;
docker_image: string;
// docker_access_token: string; // REMOVED
dataset_storage_id: number;
created_at: string;
updated_at: string;
author_id: number;
status: "created" | "updated" | "deleted";
};
e. Why the Corrected Code is More Secure
By removing the docker_access_token from the client-side model, we adhere to the principle of least privilege and prevent the exposure of a critical credential to the browser environment, significantly reducing the attack surface for credential theft.