Recipe Name:
Avoid hardcoded secrets when using password encoders
Description:
Using passwordencoders in combination with hardcoded secrets is security sensitive
Level:
error
Language:
- java
Tags:
- Spring
- security
- framework specific
- Spring Security
Documentation
Storing passwords or other secrets in plain text in the source code is a huge security risk. As credentials are frequently reused, a hacker, with access to the repository with hardcoded credentials, could use this information to compromise other systems/applications. Another possible scenario is that the code could end up being published, making the credentials publicly available to anyone.
If a secret really needs to be stored, make use of environment variables.
| Before: | encoder.encode("Hunter2"); |
| After: | encoder.encode(System.getenv("PASSWORD")); |
Resources
Recipe
id: scw:spring:security:hardcoded-secrets
version: 10
metadata:
name: Avoid hardcoded secrets when using password encoders
shortDescription: Using passwordencoders in combination with hardcoded secrets is security sensitive
level: error
language: java
scwCategory: broken_cryptography:use_of_hardcoded_keys
enabled: true
descriptionFile: descriptions/Avoidhardcodedsecretswhenusingpasswordencoders.html
tags: Spring;security;framework specific;Spring Security
search:
methodcall:
args:
1:
type: java.lang.String
value:
containsUntrustedInput: false
name: encode
anyOf:
- type: org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
- type: org.springframework.security.crypto.scrypt.SCryptPasswordEncoder
- type: org.springframework.security.crypto.password.Pbkdf2PasswordEncoder
- type: org.springframework.security.crypto.argon2.Argon2PasswordEncoder
- type: org.springframework.security.crypto.password.PasswordEncoder
availableFixes:
- name: Retrieve the password from an environment variable
actions:
- modifyArguments:
rewrite:
1: java.lang.System.getenv("PASSWORD")