javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: express-session-hardcoded-secret
    message: A hard-coded credential was detected. It is not recommended  to store
      credentials in source-code, as this risks secrets being leaked and used by
      either an internal or external malicious adversary.  It is recommended to
      use environment variables to  securely provide credentials or retrieve
      credentials from  a secure vault or HSM (Hardware Security Module).
    metadata:
      interfile: true
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      category: security
      technology:
        - express
        - secrets
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: HIGH
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern-inside: |
              $SESSION = require('express-session');
              ...
          - pattern-inside: |
              import $SESSION from 'express-session'
              ...
          - pattern-inside: |
              import {..., $SESSION, ...} from 'express-session'
              ...
          - pattern-inside: |
              import * as $SESSION from 'express-session'
              ...
      - patterns:
          - pattern-either:
              - pattern-inside: $APP.use($SESSION({...}))
              - pattern: |
                  $SECRET = $VALUE
                  ...
                  $APP.use($SESSION($SECRET))
          - pattern: |
              secret: '$Y'

Examples

express-session-hardcoded-secret.ts

import express from 'express'
import session from 'express-session'
const app = express()
const port = 3000

let a = 'a'
let config = {
  // ruleid: express-session-hardcoded-secret
  secret: 'a',
  resave: false,
  saveUninitialized: false,
}

let config1 = {
  // ok: express-session-hardcoded-secret
  secret: config.secret,
  resave: false,
  saveUninitialized: false,
}


app.use(session({
  // ruleid: express-session-hardcoded-secret
  secret: a,
  resave: false,
  saveUninitialized: false,
}));

app.use(session(config));

app.use(session(config1));

let secret2 = {
  resave: false,
  // ruleid: express-session-hardcoded-secret
  secret: 'foo',
  saveUninitialized: false,
}
app.use(session(secret2));


app.use(session({
  // ok: express-session-hardcoded-secret
  secret: config.secret,
  resave: false,
  saveUninitialized: false,
}));