contrib.nodejsscan.hardcoded_secrets.node_username
returntocorpAuthor
99
Download Count*
License
A hardcoded username in plain text is identified. Store it properly in an environment variable.
Run Locally
Run in CI
Defintion
rules:
- id: node_username
patterns:
- pattern-not: username = ''
- pattern-not: userName = ''
- pattern-not: USERNAME = ''
- pattern-not: user = ''
- pattern-not: USER = ''
- pattern-not: $X['...'] = ''
- pattern-either:
- pattern: |
username = '...';
- pattern: |
userName = '...';
- pattern: |
USERNAME = '...';
- pattern: |
user = '...';
- pattern: |
USER = '...';
- pattern: |
$X['username'] = '...';
- pattern: |
$X['userName'] = '...';
- pattern: |
$X['USERNAME'] = '...';
- pattern: |
$X['user'] = '...';
- pattern: |
$X['USER'] = '...';
- pattern: |
$X.username = '...';
- pattern: |
$X.userName = '...';
- pattern: |
$X.USERNAME = '...';
- pattern: |
$X.user = '...';
- pattern: |
$X.USER = '...';
message: A hardcoded username in plain text is identified. Store it properly in
an environment variable.
languages:
- javascript
severity: ERROR
metadata:
owasp: A03:2017 - Sensitive Data Exposure
cwe: "CWE-798: Use of Hard-coded Credentials"
category: security
technology:
- node.js
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
hardcoded_secrets.js
// ruleid:node_password
password = '1212';
x = 1;
password = x;
pass = 123;
// ruleid:node_password
PASSWORD = '12211';
// ruleid:node_password
obj['password'] = '121233';
// ruleid:node_password
obj2.password = '1234';
// ruleid:node_password
obj2.pass = '1234';
// ruleid:node_password
obj2["pass"] = '1234';
// ruleid:node_password
const password = '1212';
// ruleid:node_password
let password = '1212';
// ruleid:node_password
var password = '1212';
// ruleid:node_api_key
angular.module('starter.services', [])
.constant('api_key', '6e906986c3b199c51fff3154cfb76979')
this.apiUrl = api_url;
Short Link: https://sg.run/2xwB