Skip to content

JS: Add another example the Hardcoded credential help #13501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
erik-krogh merged 10 commits into from
Jun 21, 2023
Merged

JS: Add another example the Hardcoded credential help #13501

erik-krogh merged 10 commits into from
Jun 21, 2023

Conversation

@adrienpessu
Copy link
Contributor

@adrienpessu adrienpessu commented Jun 19, 2023

For the context, a customer was confused by the postgresql connection example, as the query has detected a hardcoded credential in the HTTP headerAuthorization.
The help seems out-of-context for them.
It may be useful to add more example to match the broad detection that query provides

@adrienpessu adrienpessu requested a review from a team as a code owner June 19, 2023 17:05
@github-actions
Copy link
Contributor

github-actions bot commented Jun 19, 2023

QHelp previews:

javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp

Hard-coded credentials

Including unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.

Recommendation

Remove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.

Example

The following code example connects to an HTTP request using an hard-codes authentication header

let base64 = require('base-64');

let url = 'http://example.org/auth';
let username = 'user';
let password = 'passwd';

let headers = new Headers();

//headers.append('Content-Type', 'text/json');
headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));

fetch(url, {method:'GET',
        headers: headers,
        //credentials: 'user:passwd'
       })
.then(response => response.json())
.then(json => console.log(json));
//.done();

Instead, user name and password can be supplied through the environment variables username and password, which can be set externally without hard-coding credentials in the source code.

Example

The following code example connects to a Postgres database using the pg package and hard-codes user name and password:

const pg = require("pg");

const client = new pg.Client({
  user: "bob",
  host: "database.server.com",
  database: "mydb",
  password: "correct-horse-battery-staple",
  port: 3211
});
client.connect();

Instead, user name and password can be supplied through the environment variables PGUSER and PGPASSWORD, which can be set externally without hard-coding credentials in the source code.

References

@erik-krogh
Copy link
Contributor

erik-krogh commented Jun 19, 2023

Could you also add another <sample/> in the bottom of the example showing the safe way of doing it?

I know we didn't have that before, but we might as well add that.

And why are some of the lines commented out in your example?
The first two comments can just be deleted, right?
And I think the last comment should be code instead of a comment.

@owen-mc owen-mc changed the title Add another example the Hardcoded credential help JS: Add another example the Hardcoded credential help Jun 20, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Jun 20, 2023

QHelp previews:

javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp

errors/warnings:

/home/runner/work/codeql/codeql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp:38:3: text not allowed here; expected the element end-tag or element "blockquote", "img", "include", "ol", "p", "pre", "sample", "table", "ul" or "warning"
A fatal error occurred: 1 qhelp files could not be processed.

@adrienpessu
Copy link
Contributor Author

adrienpessu commented Jun 20, 2023

That's a good point, I have added a NodeJS example. And uncommented those 2 lines 😄

@github-actions
Copy link
Contributor

github-actions bot commented Jun 20, 2023
edited
Loading

QHelp previews:

javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp

Hard-coded credentials

Including unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.

Recommendation

Remove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.

Example

The following code example connects to an HTTP request using an hard-codes authentication header:

let base64 = require('base-64');

let url = 'http://example.org/auth';
let username = 'user';
let password = 'passwd';

let headers = new Headers();

headers.append('Content-Type', 'text/json');
headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));

fetch(url, {
          method:'GET',
          headers: headers
       })
.then(response => response.json())
.then(json => console.log(json))
.done();

Instead, user name and password can be supplied through the environment variables username and password, which can be set externally without hard-coding credentials in the source code.

let base64 = require('base-64');

let url = 'http://example.org/auth';
let username = process.env.USERNAME;
let password = process.env.PASSWORD;

let headers = new Headers();

headers.append('Content-Type', 'text/json');
headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));

fetch(url, {
        method:'GET',
        headers: headers
     })
.then(response => response.json())
.then(json => console.log(json))
.done();

Example

The following code example connects to a Postgres database using the pg package and hard-codes user name and password:

const pg = require("pg");

const client = new pg.Client({
  user: "bob",
  host: "database.server.com",
  database: "mydb",
  password: "correct-horse-battery-staple",
  port: 3211
});
client.connect();

Instead, user name and password can be supplied through the environment variables PGUSER and PGPASSWORD, which can be set externally without hard-coding credentials in the source code.

References

erik-krogh
erik-krogh reviewed Jun 20, 2023
View reviewed changes
@adrienpessu adrienpessu requested a review from erik-krogh June 21, 2023 08:12
erik-krogh
erik-krogh reviewed Jun 21, 2023
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A final nit, and then I think this is ready.

adrienpessu and others added 2 commits June 21, 2023 12:55
@adrienpessu adrienpessu requested a review from erik-krogh June 21, 2023 11:55
@erik-krogh erik-krogh merged commit 3b0220d into github:main Jun 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erik-krogh erik-krogh erik-krogh approved these changes

Assignees

No one assigned

Labels

documentation JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adrienpessu @erik-krogh