From 56787dce9fa8383a317e7c299467465520c9bf7b Mon Sep 17 00:00:00 2001 From: yassin-kammoun-sonarsource Date: Tue, 26 Nov 2024 16:58:24 +0100 Subject: [PATCH] Modify rule S2068: Focus on passwords only --- rules/S2068/javascript/metadata.json | 1 + rules/S2068/javascript/rule.adoc | 63 +++++++++++++++++++++++----- 2 files changed, 53 insertions(+), 11 deletions(-) diff --git a/rules/S2068/javascript/metadata.json b/rules/S2068/javascript/metadata.json index d860fd4691d..721c5ed7fae 100644 --- a/rules/S2068/javascript/metadata.json +++ b/rules/S2068/javascript/metadata.json @@ -1,4 +1,5 @@ { + "title": "Hard-coded passwords are security-sensitive", "defaultQualityProfiles": [ "Sonar way" ] diff --git a/rules/S2068/javascript/rule.adoc b/rules/S2068/javascript/rule.adoc index 82e8821aa0f..a0e9ffa78e8 100644 --- a/rules/S2068/javascript/rule.adoc +++ b/rules/S2068/javascript/rule.adoc @@ -1,16 +1,37 @@ -include::../description.adoc[] +Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source. -include::../ask-yourself.adoc[] -include::../recommended.adoc[] +In the past, it has led to the following vulnerabilities: + +* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466] +* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389] + +Passwords should be stored outside of the code in a configuration file, a database, or a management service for passwords. + + +This rule flags instances of hard-coded passwords used in database and LDAP connections. It looks for hard-coded passwords in connection strings, and for variable names that match any of the patterns from the provided list. + +== Ask Yourself Whether + +* Passwords allow access to a sensitive component like a database, a file storage, an API or a service. +* Passwords are used in production environments. +* Application re-distribution is required before updating the passwords. + +There is a risk if you answered yes to any of those questions. + +== Recommended Secure Coding Practices + +* Store the passwords in a configuration file that is not pushed to the code repository. +* Store the passwords in a database. +* Use your cloud provider's service for managing passwords. +* If a password has been disclosed through the source code: change it. == Sensitive Code Example ---- -var mysql = require('mysql'); +const mysql = require('mysql'); -var connection = mysql.createConnection( -{ +const connection = mysql.createConnection({ host:'localhost', user: "admin", database: "project", @@ -25,9 +46,9 @@ connection.connect(); [source,javascript] ---- -var mysql = require('mysql'); +const mysql = require('mysql'); -var connection = mysql.createConnection({ +const connection = mysql.createConnection({ host: process.env.MYSQL_URL, user: process.env.MYSQL_USERNAME, password: process.env.MYSQL_PASSWORD, @@ -36,7 +57,13 @@ var connection = mysql.createConnection({ connection.connect(); ---- -include::../see.adoc[] +== See + +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password] +* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password] + ifdef::env-github,rspecator-view[] @@ -44,9 +71,23 @@ ifdef::env-github,rspecator-view[] == Implementation Specification (visible only on this page) -include::../message.adoc[] +=== Message + +Review this potentially hard-coded password. + + +=== Parameters + +.passwordWords +**** + +---- +password, passwd, pwd, passphrase +---- + +Comma separated list of words identifying potential password +**** -include::../parameters.adoc[] ''' == Comments And Links