99 lines
2.8 KiB
Plaintext
99 lines
2.8 KiB
Plaintext
Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.
|
|
|
|
|
|
In the past, it has led to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]
|
|
|
|
Passwords should be stored outside of the code in a configuration file, a database, or a management service for passwords.
|
|
|
|
|
|
This rule flags instances of hard-coded passwords used in database and LDAP connections. It looks for hard-coded passwords in connection strings, and for variable names that match any of the patterns from the provided list.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* Passwords allow access to a sensitive component like a database, a file storage, an API or a service.
|
|
* Passwords are used in production environments.
|
|
* Application re-distribution is required before updating the passwords.
|
|
|
|
There is a risk if you answered yes to any of those questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* Store the passwords in a configuration file that is not pushed to the code repository.
|
|
* Store the passwords in a database.
|
|
* Use your cloud provider's service for managing passwords.
|
|
* If a password has been disclosed through the source code: change it.
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
const mysql = require('mysql');
|
|
|
|
const connection = mysql.createConnection({
|
|
host:'localhost',
|
|
user: "admin",
|
|
database: "project",
|
|
password: "mypassword", // sensitive
|
|
multipleStatements: true
|
|
});
|
|
|
|
connection.connect();
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,javascript]
|
|
----
|
|
const mysql = require('mysql');
|
|
|
|
const connection = mysql.createConnection({
|
|
host: process.env.MYSQL_URL,
|
|
user: process.env.MYSQL_USERNAME,
|
|
password: process.env.MYSQL_PASSWORD,
|
|
database: process.env.MYSQL_DATABASE
|
|
});
|
|
connection.connect();
|
|
----
|
|
|
|
== See
|
|
|
|
* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
|
|
* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]
|
|
* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Review this potentially hard-coded password.
|
|
|
|
|
|
=== Parameters
|
|
|
|
.passwordWords
|
|
****
|
|
|
|
----
|
|
password, passwd, pwd, passphrase
|
|
----
|
|
|
|
Comma separated list of words identifying potential password
|
|
****
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|