Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modify rule S2068: Focus on passwords only #4542

Merged
merged 1 commit into from
Nov 27, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions rules/S2068/javascript/metadata.json
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{
"title": "Hard-coded passwords are security-sensitive",
"defaultQualityProfiles": [
"Sonar way"
]
Expand Down
63 changes: 52 additions & 11 deletions rules/S2068/javascript/rule.adoc
Original file line number Diff line number Diff line change
@@ -1,16 +1,37 @@
include::../description.adoc[]
Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]
In the past, it has led to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]

Passwords should be stored outside of the code in a configuration file, a database, or a management service for passwords.


This rule flags instances of hard-coded passwords used in database and LDAP connections. It looks for hard-coded passwords in connection strings, and for variable names that match any of the patterns from the provided list.

== Ask Yourself Whether

* Passwords allow access to a sensitive component like a database, a file storage, an API or a service.
* Passwords are used in production environments.
* Application re-distribution is required before updating the passwords.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

* Store the passwords in a configuration file that is not pushed to the code repository.
* Store the passwords in a database.
* Use your cloud provider's service for managing passwords.
* If a password has been disclosed through the source code: change it.

== Sensitive Code Example

----
var mysql = require('mysql');
const mysql = require('mysql');

var connection = mysql.createConnection(
{
const connection = mysql.createConnection({
host:'localhost',
user: "admin",
database: "project",
Expand All @@ -25,9 +46,9 @@ connection.connect();

[source,javascript]
----
var mysql = require('mysql');
const mysql = require('mysql');

var connection = mysql.createConnection({
const connection = mysql.createConnection({
host: process.env.MYSQL_URL,
user: process.env.MYSQL_USERNAME,
password: process.env.MYSQL_PASSWORD,
Expand All @@ -36,17 +57,37 @@ var connection = mysql.createConnection({
connection.connect();
----

include::../see.adoc[]
== See

* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]
* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]
=== Message

Review this potentially hard-coded password.


=== Parameters

.passwordWords
****

----
password, passwd, pwd, passphrase
----

Comma separated list of words identifying potential password
****

include::../parameters.adoc[]

'''
== Comments And Links
Expand Down