mirror of
https://github.com/github/codeql.git
synced 2026-05-04 21:25:44 +02:00
45 lines
1.4 KiB
XML
45 lines
1.4 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
<overview>
|
|
<p>
|
|
Including unencrypted hard-coded authentication credentials in source code is dangerous because
|
|
the credentials may be easily discovered. For example, the code may be open source, or it may
|
|
be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn,
|
|
might enable them to gain unauthorized access, or to obtain privileged information.
|
|
</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
Remove hard-coded credentials, such as user names, passwords and certificates, from source code.
|
|
Instead, place them in configuration files, environment variables or other data stores if necessary.
|
|
If possible, store configuration files including credential data separately from the source code,
|
|
in a secure location with restricted access.
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>
|
|
The following code example connects to a database using a hard-coded user name and password:
|
|
</p>
|
|
|
|
<sample src="HardcodedCredentialsApiCall.java"/>
|
|
|
|
<p>
|
|
Instead, the user name and password could be supplied through environment variables,
|
|
which can be set externally without hard-coding credentials in the source code.
|
|
</p>
|
|
</example>
|
|
|
|
<references>
|
|
<li>
|
|
OWASP:
|
|
<a href="https://www.owasp.org/index.php/Use_of_hard-coded_password">Use of hard-coded password</a>.
|
|
</li>
|
|
</references>
|
|
|
|
</qhelp>
|