Skip to content

Commit

Permalink
Modify rule S2068: Focus on passwords only
Browse files Browse the repository at this point in the history
  • Loading branch information
yassin-kammoun-sonarsource committed Nov 27, 2024
1 parent 87317d7 commit 92d6652
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 11 deletions.
1 change: 1 addition & 0 deletions rules/S2068/javascript/metadata.json
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{
"title": "Hard-coded passwords are security-sensitive",
"defaultQualityProfiles": [
"Sonar way"
]
Expand Down
65 changes: 54 additions & 11 deletions rules/S2068/javascript/rule.adoc
Original file line number Diff line number Diff line change
@@ -1,16 +1,37 @@
include::../description.adoc[]
Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]
In the past, it has led to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]
Passwords should be stored outside of the code in a configuration file, a database, or a management service for passwords.


This rule flags instances of hard-coded passwords used in database and LDAP connections. It looks for hard-coded passwords in connection strings, and for variable names that match any of the patterns from the provided list.

== Ask Yourself Whether

* Passwords allow access to a sensitive component like a database, a file storage, an API or a service.
* Passwords are used in production environments.
* Application re-distribution is required before updating the passwords.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

* Store the passwords in a configuration file that is not pushed to the code repository.
* Store the passwords in a database.
* Use your cloud provider's service for managing passwords.
* If a password has been disclosed through the source code: change it.

== Sensitive Code Example

----
var mysql = require('mysql');
const mysql = require('mysql');
var connection = mysql.createConnection(
{
const connection = mysql.createConnection({
host:'localhost',
user: "admin",
database: "project",
Expand All @@ -25,9 +46,9 @@ connection.connect();

[source,javascript]
----
var mysql = require('mysql');
const mysql = require('mysql');
var connection = mysql.createConnection({
const connection = mysql.createConnection({
host: process.env.MYSQL_URL,
user: process.env.MYSQL_USERNAME,
password: process.env.MYSQL_PASSWORD,
Expand All @@ -36,17 +57,39 @@ var connection = mysql.createConnection({
connection.connect();
----

include::../see.adoc[]
== See

* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]
* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]
=== Message

"xxxxx" detected here, make sure this is not a hard-coded password.

Review this hard-coded URI, which may contain a password.


=== Parameters

.passwordWords
****
----
password, passwd, pwd, passphrase
----
Comma separated list of words identifying potential password
****

include::../parameters.adoc[]

'''
== Comments And Links
Expand Down

0 comments on commit 92d6652

Please sign in to comment.