javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret
semgrepAuthor
unknown
Download Count*
License
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Run Locally
Run in CI
Defintion
rules:
- id: express-session-hardcoded-secret
message: A hard-coded credential was detected. It is not recommended to store
credentials in source-code, as this risks secrets being leaked and used by
either an internal or external malicious adversary. It is recommended to
use environment variables to securely provide credentials or retrieve
credentials from a secure vault or HSM (Hardware Security Module).
options:
interfile: true
metadata:
interfile: true
cwe:
- "CWE-798: Use of Hard-coded Credentials"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
owasp:
- A07:2021 - Identification and Authentication Failures
category: security
technology:
- express
- secrets
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: HIGH
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-either:
- pattern-inside: |
$SESSION = require('express-session');
...
- pattern-inside: |
import $SESSION from 'express-session'
...
- pattern-inside: |
import {..., $SESSION, ...} from 'express-session'
...
- pattern-inside: |
import * as $SESSION from 'express-session'
...
- patterns:
- pattern-either:
- pattern-inside: $APP.use($SESSION({...}))
- pattern: |
$SECRET = $VALUE
...
$APP.use($SESSION($SECRET))
- pattern: |
secret: '$Y'
Examples
express-session-hardcoded-secret.ts
import express from 'express'
import session from 'express-session'
const app = express()
const port = 3000
let a = 'a'
let config = {
// ruleid: express-session-hardcoded-secret
secret: 'a',
resave: false,
saveUninitialized: false,
}
let config1 = {
// ok: express-session-hardcoded-secret
secret: config.secret,
resave: false,
saveUninitialized: false,
}
app.use(session({
// ruleid: express-session-hardcoded-secret
secret: a,
resave: false,
saveUninitialized: false,
}));
app.use(session(config));
app.use(session(config1));
let secret2 = {
resave: false,
// ruleid: express-session-hardcoded-secret
secret: 'foo',
saveUninitialized: false,
}
app.use(session(secret2));
app.use(session({
// ok: express-session-hardcoded-secret
secret: config.secret,
resave: false,
saveUninitialized: false,
}));Short Link: https://sg.run/LYvG