Uploaded image for project: 'SonarPython'
  1. SonarPython
  2. SONARPY-273

Rule S2068: Hard-coded credentials are security-sensitive

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5
    • Component/s: Rules
    • Labels:
      None

      Description

      Summary

      This rule detects potential hard-coded password based on:

      • Literal string format
      • Symbol names
      • Specific APIs (like database connection)

      Code Samples

      Django

      Only raise when the file is called settings.py
      https://github.com/SonarSource/security-expected-issues/blob/master/python/rules/vulnerabilities/RSPEC-2068/settings.py

      Others

      https://github.com/SonarSource/security-expected-issues/blob/master/python/rules/hotspots/RSPEC-2068/hardcoded-credentials.py

      FPs prevention

      Symbol name vs string content

      The implementation of this rule on other languages (like Java) highly rely on symbol names matching wordlist items to raise issues. The downside of this is that it raises many FPs when constants are used to avoid duplicated stings:

      RESET_PASSWORD = "/users/resetUserPassword" 
      

      The logic is to avoid raising issue when the wordlist item is present in both symbol name and literal string value.

      # wordlist: password, pwd
      json_password = "password"                                # Compliant
      pwd = "pwd"                                               # Compliant
      PASSWORD = "Password"                                     # Compliant
      PASSWORD_INPUT = "[id='password']"                        # Compliant
      PASSWORD_PROPERTY = "custom.password"                     # Compliant
      TRUSTSTORE_PASSWORD = "trustStorePassword"                # Compliant
      CONNECTION_PASSWORD = "connection.password"               # Compliant
      RESET_PASSWORD= "/users/resetUserPassword"                     # Compliant
      
      dict2 = dict(password='PASSWORD') # Compliant
      dict3 = {'password': 'password'} # Compliant
      dict4 = {"login_password": "password"} # Compliant
      foo(msg="PASSWORD=_PASSWORD'") # Compliant
      jim = User(username='jim',password="password88") # Compliant
      conn = pymssql.connect(server='yourserver', user='yourusername@yourserver', password='yourpassword', database='yourdatabase') # Compliant
      

      Exception made for the following use cases that are still True Positives:

      params = "user=admin&password=Password123" # Sensitive
      sqlserver = "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres" # Sensitive
      

      Empty strings

      Also, empty string should not be considered as hard-coded passwords

      # wordlist: password, pwd
      json_password = "" # Compliant
      pwd = "" # Compliant
      dict1 = {'password': ''} # Compliant
      

      Database query parameters

      The following use case show legitimate use of parameters in a database query .

      var1 = "password=?" # Compliant
      var1 = "password=:password" # Compliant
      var1 = "password=:param" # Compliant
      var1 = "password='"+pwd+"'" # Compliant
      var1 = "password=%s" # Compliant
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              guillaume.dequenne Guillaume Dequenne
              Reporter:
              alban.auzeill Alban Auzeill
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: