Sensei Logo Sensei Hub

Recipe - Avoid hardcoded secrets when using the Encryptors class

Description:
Using the Encryptors class in combination with hardcoded secrets is security sensitive
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
Documentation

Storing passwords or other secrets in plain text in the source code is a huge security risk. As credentials are frequently reused, a hacker, with access to the repository with hardcoded credentials, could use this information to compromise other systems/applications. Another possible scenario is that the code could end up being published, making the credentials publicly available to anyone. If a secret really needs to be stored, make use of environment variables.

Before
Encryptors.stronger("Hunter2", salt);
After
Encryptors.stronger(System.getenv("PASSWORD"), salt);
References
Recipe
id: scw:spring:encryptors:hardcoded
version: 10
metadata:
  name: Avoid hardcoded secrets when using the Encryptors class
  shortDescription: Using the Encryptors class in combination with hardcoded secrets is security sensitive
  level: error
  language: java
  scwCategory: broken_cryptography:use_of_hardcoded_keys
  enabled: true
  descriptionFile: descriptions/AvoidhardcodedsecretswhenusingtheEncryptorsclass.html
  tags: Spring;security;framework specific;Spring Security
search:
  methodcall:
    args:
      1:
        not:
          value:
            containsUntrustedInput: true
        type: java.lang.String
    name:
      matches: standard|stronger|text|delux|queryableText
    type: org.springframework.security.crypto.encrypt.Encryptors
availableFixes:
- name: Retrieve the password from an environment variable
  actions:
  - modifyArguments:
      rewrite:
        1: java.lang.System.getenv("PASSWORD")