Avoid hardcoded secrets when using the Encryptors class :: Recipe Details

Recipe Name:

Avoid hardcoded secrets when using the Encryptors class

Description:

Using the Encryptors class in combination with hardcoded secrets is security sensitive

Level:

error

Language:

java

Tags:

Spring
security
framework specific
Spring Security

Documentation

Storing passwords or other secrets in plain text in the source code is a huge security risk. As credentials are frequently reused, a hacker, with access to the repository with hardcoded credentials, could use this information to compromise other systems/applications. Another possible scenario is that the code could end up being published, making the credentials publicly available to anyone. If a secret really needs to be stored, make use of environment variables.

Before

Encryptors.stronger("Hunter2", salt);

After

Encryptors.stronger(System.getenv("PASSWORD"), salt);

References

Recipe

id: scw:spring:encryptors:hardcoded
version: 10
metadata:
  name: Avoid hardcoded secrets when using the Encryptors class
  shortDescription: Using the Encryptors class in combination with hardcoded secrets is security sensitive
  level: error
  language: java
  scwCategory: broken_cryptography:use_of_hardcoded_keys
  enabled: true
  descriptionFile: descriptions/AvoidhardcodedsecretswhenusingtheEncryptorsclass.html
  tags: Spring;security;framework specific;Spring Security
search:
  methodcall:
    args:
      1:
        not:
          value:
            containsUntrustedInput: true
        type: java.lang.String
    name:
      matches: standard|stronger|text|delux|queryableText
    type: org.springframework.security.crypto.encrypt.Encryptors
availableFixes:
- name: Retrieve the password from an environment variable
  actions:
  - modifyArguments:
      rewrite:
        1: java.lang.System.getenv("PASSWORD")