Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • List of parameters:
      Hide

      Default value : password, passwd, pwd, passphrase

      Show
      Default value : password, passwd, pwd, passphrase
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

      In the past, it has led to the following vulnerabilities:

      Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.

      This rule looks for hard-coded credentials in variable names that match any of the patterns from the provided list.

      Ask Yourself Whether

      • Credentials allows access to a sensitive component like a database, a file storage, an API or a service.
      • Credentials are used in production environments.
      • Application re-distribution is required before updating the credentials.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Store the credentials in a configuration file that is not pushed to the code repository.
      • Store the credentials in a database.
      • Use your cloud provider's service for managing secrets.
      • If the a password has been disclosed through the source code: change it.

      Sensitive Code Example

      dbi_conn conn = dbi_conn_new("mysql");
      string password = "secret"; // Sensitive
      dbi_conn_set_option(conn, "password", password.c_str());
      

      Compliant Solution

      dbi_conn conn = dbi_conn_new("mysql");
      string password = getDatabasePassword(); // Compliant
      dbi_conn_set_option(conn, "password", password.c_str()); // Compliant
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              hendrik.buchwald Hendrik Buchwald
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: