Sensei Logo Sensei Hub

Recipe - Avoid hardcoded secrets when using password encoders

Description:
Using passwordencoders in combination with hardcoded secrets is security sensitive
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
Documentation
Storing passwords or other secrets in plain text in the source code is a huge security risk. As credentials are frequently reused, a hacker, with access to the repository with hardcoded credentials, could use this information to compromise other systems/applications. Another possible scenario is that the code could end up being published, making the credentials publicly available to anyone. If a secret really needs to be stored, make use of environment variables.
Before:encoder.encode("Hunter2");
After:encoder.encode(System.getenv("PASSWORD"));

Resources

Recipe
id: scw:spring:security:hardcoded-secrets
version: 10
metadata:
  name: Avoid hardcoded secrets when using password encoders
  shortDescription: Using passwordencoders in combination with hardcoded secrets is security sensitive
  level: error
  language: java
  scwCategory: broken_cryptography:use_of_hardcoded_keys
  enabled: true
  descriptionFile: descriptions/Avoidhardcodedsecretswhenusingpasswordencoders.html
  tags: Spring;security;framework specific;Spring Security
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: false
    name: encode
    anyOf:
    - type: org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
    - type: org.springframework.security.crypto.scrypt.SCryptPasswordEncoder
    - type: org.springframework.security.crypto.password.Pbkdf2PasswordEncoder
    - type: org.springframework.security.crypto.argon2.Argon2PasswordEncoder
    - type: org.springframework.security.crypto.password.PasswordEncoder
availableFixes:
- name: Retrieve the password from an environment variable
  actions:
  - modifyArguments:
      rewrite:
        1: java.lang.System.getenv("PASSWORD")