Archive Notice (April 15 2022)
This script seems to be helpful for many, but unfortunately I also do not have time to maintain it and properly code review the work of potential contributors. I'll leave it in an archived state for a while for anyone that wants to fork it, but I will eventually delete this repository.
Recover uncompiled TypeScript sources, JSX, and more from Webpack sourcemaps.
The script requires Python3,
requests. Install dependencies with
pip3 install -r requirements.txt. The script can handle downloaded sourcemaps, or attempt to parse them from remote sources for you. In all of these cases, we will assume that you have a directory you have created called
output alongside the script:
\$ mkdir output
In order of increasing noisiness, to unpack a local sourcemap:
\$ ./unwebpack_sourcemap.py --local /path/to/source.map output
To unpack a remote sourcemap:
\$ ./unwebpack_sourcemap.py https://pathto.example.com/source.map output
To attempt to read all
<script src> on an HTML page, fetch JS assets, look for
sourceMappingURI, and pull sourcemaps from remote sources:
\$ ./unwebpack_sourcemap.py --detect https://pathto.example.com/spa_root/ output
I'm a developer and this scares me. What do?
You have a few options:
- Turn off sourcemaps in production entirely.
- Push sourcemaps to a private server, and ACL sourcemap URIs to developers only.
- Load sourcemaps from local sources only and do not push them to production.
Example Vulnerable Application
An example TypeScript+React application is included in
example-react-ts-app. You can run this locally and run the script against it.
This is an alpha-level script built for a series of engagements I was working on in which sourcemaps are disclosed in production environments. It currently is only meant to work with TypeScript+React and TypeScript+Vue templates. Pull requests to harden the script, make it read more sourcemaps, et cetera are greatly appreciated.