15 lines
963 B
Plaintext
15 lines
963 B
Plaintext
Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.
|
|
|
|
|
|
In the past, it has led to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25510[CVE-2022-25510]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42635[CVE-2021-42635]
|
|
|
|
Secrets should be stored outside of the source code in a configuration file or a management service for secrets.
|
|
|
|
|
|
This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value.
|
|
The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.
|
|
|