Uploaded image for project: 'SonarXML'
  1. SonarXML
  2. SONARXML-106

Rule S2068 Hard-coded credentials are security-sensitive

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.1
    • Component/s: Rules
    • Labels:

      Description

      Should raise when passwords/secrets are found in xml files.

      Should parse the XML tree of xml files very precisely:

      <?xml version="1.0" encoding="UTF-8"?>
      <beans xmlns="http://www.springframework.org/schema/beans"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="
              http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
        
          <bean id="connectionFactoryLocator" class="org.springframework.social.connect.support.ConnectionFactoryRegistry">
            <property name="connectionFactories">
                <list>
                    <bean class="org.springframework.social.twitter.connect.TwitterConnectionFactory">
                        <constructor-arg value="blablala-user" />
                        <constructor-arg value="blablala-password" />   <!-- Sensitive --> 
                    </bean>
                </list>
            </property>
        </bean> 
      </beans>
      

      Example of an accurate xpath query for retrieving this previous possible secret:

      node = /beans/bean/property/list/bean[class="org.springframework.social.twitter.connect.TwitterConnectionFactory"]/constructor-arg[2]
      
      expectedsecret = node.value
      

      The retrieved value should not start with ${ or #{ or {{ or be an empty string.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michael.gumowski Michael Gumowski
              Reporter:
              eric.therond Eric Therond
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: