Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-1313

Using hardcoded IP addresses is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure using a hardcoded IP address is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      APEX, Cobol, Flex, PL/SQL, RPG, Rust, TypeScript
    • Covered Languages:
      ABAP, C#, C, C++, Go, Java, JavaScript, Kotlin, Objective-C, PHP, Python, Ruby, Scala, Swift, T-SQL, VB.Net, VB6
    • Irrelevant for Languages:
      HTML, PL/I, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CERT:
      MSC03-J.
    • OWASP:
      A3
    • PMD:
      AvoidUsingHardCodedIP

      Description

      Hardcoding IP addresses is security-sensitive. It has led in the past to the following vulnerabilities:

      Today's services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development, delivery, and deployment:

      • The developers will have to do a rapid fix every time this happens, instead of having an operation team change a configuration file.
      • It misleads to use the same address in every environment (dev, sys, qa, prod).

      Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially sensitive address. They can perform a Denial of Service attack on the service, try to get access to the system, or try to spoof the IP address to bypass security checks. Such attacks can always be possible, but in the case of a hardcoded IP address solving the issue will take more time, which will increase an attack's impact.

      Ask Yourself Whether

      The disclosed IP address is sensitive, e.g.:

      • Can give information to an attacker about the network topology.
      • It's a personal (assigned to an identifiable person) IP address.

      There is a risk if you answered yes to any of these questions.

      Recommended Secure Coding Practices

      Don't hard-code the IP address in the source code, instead make it configurable with environment variables, configuration files, or a similar approach. Alternatively, if confidentially is not required a domain name can be used since it allows to change the destination quickly without having to rebuild the software.

      Exceptions

      No issue is reported for the following cases because they are not considered sensitive:

      • Loopback addresses 127.0.0.0/8 in CIDR notation (from 127.0.0.0 to 127.255.255.255)
      • Broadcast address 255.255.255.255
      • Non routable address 0.0.0.0
      • Strings of the form 2.5.<number>.<number> as they often match Object Identifiers (OID).

      See

        Attachments

          Issue Links

          1.
          VB6 RSPEC-2546 Language-Specification Active Unassigned
          2.
          Swift RSPEC-2621 Language-Specification Active Unassigned
          3.
          Python RSPEC-2682 Language-Specification Active Unassigned
          4.
          C# RSPEC-2909 Language-Specification Active Unassigned
          5.
          Go RSPEC-4587 Language-Specification Active Unassigned
          6.
          Kotlin RSPEC-4698 Language-Specification Active Unassigned
          7.
          PHP RSPEC-4733 Language-Specification Active Unassigned
          8.
          Ruby RSPEC-4766 Language-Specification Active Unassigned
          9.
          ABAP RSPEC-4812 Language-Specification Active Unassigned
          10.
          T-SQL RSPEC-4836 Language-Specification Active Unassigned
          11.
          VB.NET RSPEC-4879 Language-Specification Active Unassigned
          12.
          Scala RSPEC-4911 Language-Specification Active Unassigned
          13.
          Apex RSPEC-4971 Language-Specification Active Unassigned
          14.
          Java RSPEC-5880 Language-Specification Active Unassigned
          15.
          C-Family RSPEC-6049 Language-Specification Active Unassigned
          16.
          Javascript RSPEC-6094 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              freddy.mallet Freddy Mallet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated: