rspec/rules/S2068/javascript/rule.adoc

Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.


In the past, it has led to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]

Passwords should be stored outside of the code in a configuration file, a database, or a management service for passwords.


This rule flags instances of hard-coded passwords used in database and LDAP connections. It looks for hard-coded passwords in connection strings, and for variable names that match any of the patterns from the provided list.

== Ask Yourself Whether

* Passwords allow access to a sensitive component like a database, a file storage, an API or a service.
* Passwords are used in production environments.
* Application re-distribution is required before updating the passwords.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

* Store the passwords in a configuration file that is not pushed to the code repository.
* Store the passwords in a database.
* Use your cloud provider's service for managing passwords.
* If a password has been disclosed through the source code: change it.

== Sensitive Code Example

----
const mysql = require('mysql');

const connection = mysql.createConnection({
  host:'localhost',
  user: "admin",
  database: "project",
  password: "mypassword", // sensitive 
  multipleStatements: true
});

connection.connect(); 
----

== Compliant Solution

[source,javascript]
----
const mysql = require('mysql');

const connection = mysql.createConnection({
  host: process.env.MYSQL_URL,
  user: process.env.MYSQL_USERNAME,
  password: process.env.MYSQL_PASSWORD,
  database: process.env.MYSQL_DATABASE
});
connection.connect();
----

== See

* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]
* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Review this potentially hard-coded password.


=== Parameters

.passwordWords
****

----
password, passwd, pwd, passphrase
----

Comma separated list of words identifying potential password
****


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Modify rule S2068: Focus on passwords only (#4542) 2024-11-27 10:19:39 +01:00			`Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00

Modify rule S2068: Focus on passwords only (#4542) 2024-11-27 10:19:39 +01:00			`In the past, it has led to the following vulnerabilities:`

			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]`

			`Passwords should be stored outside of the code in a configuration file, a database, or a management service for passwords.`


			`This rule flags instances of hard-coded passwords used in database and LDAP connections. It looks for hard-coded passwords in connection strings, and for variable names that match any of the patterns from the provided list.`

			`== Ask Yourself Whether`

			`* Passwords allow access to a sensitive component like a database, a file storage, an API or a service.`
			`* Passwords are used in production environments.`
			`* Application re-distribution is required before updating the passwords.`

			`There is a risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

			`* Store the passwords in a configuration file that is not pushed to the code repository.`
			`* Store the passwords in a database.`
			`* Use your cloud provider's service for managing passwords.`
			`* If a password has been disclosed through the source code: change it.`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
			`== Sensitive Code Example`

			`----`
Modify rule S2068: Focus on passwords only (#4542) 2024-11-27 10:19:39 +01:00			`const mysql = require('mysql');`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Modify rule S2068: Focus on passwords only (#4542) 2024-11-27 10:19:39 +01:00			`const connection = mysql.createConnection({`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`host:'localhost',`
			`user: "admin",`
			`database: "project",`
			`password: "mypassword", // sensitive`
			`multipleStatements: true`
			`});`

			`connection.connect();`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,javascript]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
Modify rule S2068: Focus on passwords only (#4542) 2024-11-27 10:19:39 +01:00			`const mysql = require('mysql');`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Modify rule S2068: Focus on passwords only (#4542) 2024-11-27 10:19:39 +01:00			`const connection = mysql.createConnection({`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`host: process.env.MYSQL_URL,`
			`user: process.env.MYSQL_USERNAME,`
			`password: process.env.MYSQL_PASSWORD,`
			`database: process.env.MYSQL_DATABASE`
			`});`
			`connection.connect();`
			`----`

Modify rule S2068: Focus on passwords only (#4542) 2024-11-27 10:19:39 +01:00			`== See`

			`* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]`
			`* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]`
			`* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password]`

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Modify rule S2068: Focus on passwords only (#4542) 2024-11-27 10:19:39 +01:00			`=== Message`

			`Review this potentially hard-coded password.`


			`=== Parameters`

			`.passwordWords`
			`****`

			`----`
			`password, passwd, pwd, passphrase`
			`----`

			`Comma separated list of words identifying potential password`
			`****`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`