javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key
semgrepAuthor
unknown
Download Count*
License
Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.
Run Locally
Run in CI
Defintion
rules:
- id: hardcoded-hmac-key
message: Detected a hardcoded hmac key. Avoid hardcoding secrets and consider
using an alternate option such as reading the secret from a config file or
using an environment variable.
options:
interfile: true
metadata:
interfile: true
category: security
technology:
- crypto
- hmac
references:
- https://rules.sonarsource.com/javascript/RSPEC-2068
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management
owasp:
- A07:2021 - Identification and Authentication Failures
cwe:
- "CWE-798: Use of Hard-coded Credentials"
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
languages:
- javascript
- typescript
severity: WARNING
pattern-either:
- pattern: $CRYPTO.createHmac($ALGO, '...')
- patterns:
- pattern-inside: |
const $SECRET = '...'
...
- pattern: $CRYPTO.createHmac($ALGO, $SECRET)
Examples
hardcoded-hmac-key.js
const crypto = require("crypto");
// ruleid: hardcoded-hmac-key
exports.hmac = data => crypto.createHmac('sha256', 'pa4qacea4VK9t9nGv7yZtwmj').update(data).digest('hex')
const rsa_key = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----'
exports.deluxeToken = (email) => {
// ruleid: hardcoded-hmac-key
const hmac = crypto.createHmac('sha256', rsa_key)
return hmac.update(email + this.roles.deluxe).digest('hex')
}
const safely_stored_key = config.get('AWS_KEY')
// ok
const safe_hmac = crypto.createHmac('sha256', safely_stored_key)
Short Link: https://sg.run/K9bn