zForDevelopers – Security Considerations

Security Considerations

MicrobeTrace follows a [secure architecture](https://github.com/CDCgov/MicrobeTrace/wiki/Security). Past security issues have been disclosed under the following CVEs and were patched prior to publication:

• https://nvd.nist.gov/vuln/detail/CVE-2018-8974
• https://nvd.nist.gov/vuln/detail/CVE-2018-9113

There is no evidence that these vulnerabilities were exploited.

Application model

MicrobeTrace is now an Angular (TypeScript) web application that runs entirely in the browser. Data is processed locally and is not transmitted to a remote server unless explicitly exported by the user. This design reduces the attack surface from arbitrary system-level code execution to code that would only run within the browser context.

Protecting user data

All user-provided values are sanitized to mitigate cross-site scripting (XSS) attacks. The application uses Angular's built-in sanitization as well as the filterXSS helper in src/app/contactTraceCommonServices/common.service.ts:

filterXSS(t, e: any = 0) {
  const argType: any = typeof t;
  if (argType === 'object') {
    return JSON.stringify(t);
  } else if (argType === 'number' || argType === 'boolean') {
    const tempT = t.toString();
    t = tempT;
  } else if (argType !== 'string' && argType !== 'number') {
    t = '';
  }
  const i = t.replace(/javascript/gi, 'javascript')
    .replace(/expression/gi, 'expression')
    .replace(/onload/gi, 'onload')
    .replace(/script/gi, 'script')
    .replace(/onerror/gi, 'onerror');
  return e === !0 ? i : i.replace(/>/g, '&gt;').replace(/</g, '&lt;');
}

Developers must ensure that every value derived from user input is passed through filterXSS (or the equivalent Angular sanitization method) before it is interpolated into the DOM. Reviewers should pay particular attention to any new templates or components that accept user-provided data.

Additional best practices

• Consider enabling a Content Security Policy (CSP) header when deploying MicrobeTrace. A commented example can be found in [src/index.html](https://chatgpt.com/c/src/index.html).
• Keep third-party dependencies up to date as part of the regular release cycle.

By following these guidelines, MicrobeTrace minimizes the risk of data disclosure and malicious code execution in the browser.