Skip to content
This repository was archived by the owner on May 25, 2026. It is now read-only.

Security: Potential sensitive data exposure via plaintext localStorage #1174

Open
tuanaiseo wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security: Potential sensitive data exposure via plaintext localStorage #1174

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions www/js/ionicUtils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,28 @@
angular.module('ionic.utils', [])

.factory('$localstorage', ['$window', function ($window) {
var sensitiveKeyPattern = /(pass(word)?|secret|token|auth|api[_-]?key|session|cookie|credential|jwt)/i;
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex matches substrings like auth anywhere in the key, which can block unrelated keys such as authorName or oauthRedirect. Consider adding word/segment boundaries (e.g., start/end, _/- separators) or matching against a list of exact forbidden keys to reduce false positives.

Suggested change
var sensitiveKeyPattern = /(pass(word)?|secret|token|auth|api[_-]?key|session|cookie|credential|jwt)/i;
var sensitiveKeyPattern = /(pass(word)?|secret|token|(^|[_-])auth([_-]|$)|api[_-]?key|session|cookie|credential|jwt)/i;

Copilot uses AI. Check for mistakes.
function canStoreKey(key) {
return key && !sensitiveKeyPattern.test(key);
Comment on lines +11 to +12
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

canStoreKey currently implements a denylist via regex. This is easy to bypass by storing a secret under a non-matching key (e.g., s, data, etc.), so it doesn’t reliably prevent accidental credential/token persistence. Consider switching to an allowlist of explicitly approved keys (or a required prefix + allowlisted suffixes) and rejecting everything else by default.

Suggested change
function canStoreKey(key) {
return key && !sensitiveKeyPattern.test(key);
var allowedKeyPrefixes = ['app_', 'cfg_', 'config_', 'cache_', 'tmp_', 'pref_', 'prefs_', 'setting_', 'settings_', 'user_', 'profile_'];
function canStoreKey(key) {
if (typeof key !== 'string' || !key) {
return false;
}
var hasAllowedPrefix = allowedKeyPrefixes.some(function (prefix) {
return key.indexOf(prefix) === 0;
});
if (!hasAllowedPrefix) {
return false;
}
return !sensitiveKeyPattern.test(key);

Copilot uses AI. Check for mistakes.
}

return {

init: function () {},

set: function (key, value) {
if (!canStoreKey(key)) {
return;
}
$window.localStorage[key] = value;
Comment on lines 19 to 23
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking writes by returning early is silent and can leave an existing sensitive value in localStorage untouched (if it was previously stored), increasing retention. Consider (1) removing any existing value for blocked keys (e.g., removeItem) and (2) surfacing the rejection to callers (throw, return a boolean, or log) so failures aren’t masked.

Copilot uses AI. Check for mistakes.
},
get: function (key, defaultValue) {
return $window.localStorage[key] || defaultValue;
},
setObject: function (key, value) {
if (!canStoreKey(key)) {
return;
}
$window.localStorage[key] = JSON.stringify(value);
},
getObject: function (key) {
Expand Down
Loading