Details
Description
The URL user info component can contain a hard-coded password:
- Go
url1 := "scheme://user:azerty123@domain.com" // Sensitive url2 := "scheme://user:@domain.com" // Compliant url3 := "scheme://user@domain.com:80" // Compliant url4 := "scheme://user@domain.com" // Compliant url5 := "scheme://domain.com/user:azerty123" // Compliant
- Ruby
url1 = "scheme://user:azerty123@domain.com" # Sensitive url2 = "scheme://user:@domain.com" # Compliant url3 = "scheme://user@domain.com:80" # Compliant url4 = "scheme://user@domain.com" # Compliant url5 = "scheme://domain.com/user:azerty123" # Compliant
- Apex
String url1 = 'scheme://user:azerty123@domain.com'; // Sensitive String url2 = 'scheme://user:@domain.com'; // Compliant String url3 = 'scheme://user@domain.com:80'; // Compliant String url4 = 'scheme://user@domain.com'; // Compliant String url5 = 'scheme://domain.com/user:azerty123'; // Compliant
- Kotlin
val url1 = "scheme://user:azerty123@domain.com" // Sensitive val url2 = "scheme://user:@domain.com" // Compliant val url3 = "scheme://user@domain.com:80" // Compliant val url4 = "scheme://user@domain.com" // Compliant val url5 = "scheme://domain.com/user:azerty123" // Compliant
- Scala
val url = "scheme://user:azerty123@domain.com" // Sensitive val url = "scheme://user:@domain.com" // Compliant val url = "scheme://user@domain.com:80" // Compliant val url = "scheme://user@domain.com" // Compliant val url = "scheme://domain.com/user:azerty123" // Compliant
Exception: no issue should be raised if user and password part of the userinfo component are the same:
- Kotlin
val url1 = "scheme://admin:admin@domain.com" // Compliant
Attachments
Issue Links
- contributes to
-
MMF-1935 Enhanced hard-coded credentials detection (S2068) for SLANG
-
- To Do
-
- implements
-
RSPEC-2068 Hard-coded credentials are security-sensitive
- Active
