70 lines
2.2 KiB
Plaintext
70 lines
2.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,php]
|
|
----
|
|
use Defuse\Crypto\KeyOrPassword;
|
|
|
|
function createKey() {
|
|
$password = "example";
|
|
return KeyOrPassword::createFromPassword($password); // Noncompliant
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Modern web frameworks tend to provide a secure way to pass passwords and secrets
|
|
to the code. For example, in Symfony you can use https://symfony.com/doc/current/configuration/secrets.html[vaults]
|
|
to store your secrets. The secret values are referenced in the same way as
|
|
environment variables, so you can easily access them through https://symfony.com/doc/current/configuration.html#configuration-parameters[configuration parameters].
|
|
|
|
[source,php]
|
|
----
|
|
use Defuse\Crypto\KeyOrPassword;
|
|
|
|
class PasswordService
|
|
{
|
|
private string $password;
|
|
|
|
public function setPassword(string $password): void
|
|
{
|
|
$this->password = $password;
|
|
}
|
|
|
|
public function createKey(): KeyOrPassword
|
|
{
|
|
return KeyOrPassword::createFromPassword($this->password);
|
|
}
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
|
|
* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
|
|
* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials
|
|
* https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password
|
|
* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information
|
|
* https://symfony.com/doc/current/configuration/env_var_processors.html[Symfony] - Environment Variable Processors
|
|
* https://symfony.com/doc/current/configuration.html#configuration-parameters[Symfony] - Configuring Symfony
|
|
* https://symfony.com/doc/current/configuration/secrets.html[Symfony] - How to Keep Sensitive Information Secret
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Revoke and change this password, as it is compromised.
|
|
|
|
=== Highlighting
|
|
|
|
Highlight the credential use and its initialization.
|
|
|
|
'''
|
|
endif::env-github,rspecator-view[]
|
|
|
|
|