ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
98,234
Download Count*

Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.

Run Locally

Run in CI

Defintion

rules:
  - id: hardcoded-http-auth-in-controller
    patterns:
      - pattern-inside: |
          class $CONTROLLER < ApplicationController
            ...
            http_basic_authenticate_with ..., :password => "$SECRET", ...
          end
      - focus-metavariable: $SECRET
    message: Detected hardcoded password used in basic authentication in a
      controller class. Including this password in version control could expose
      this credential. Consider refactoring to use environment variables or
      configuration files.
    severity: WARNING
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      owasp:
        - A07:2021 - Identification and Authentication Failures
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/basic_auth/index.markdown
      category: security
      technology:
        - ruby
        - secrets
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Hard-coded Secrets
    languages:
      - ruby

Examples

hardcoded-http-auth-in-controller.rb

class DangerousController < ApplicationController
  # ruleid:hardcoded-http-auth-in-controller
  http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index

  puts "do more stuff"

end

# ok:hardcoded-http-auth-in-controller
class OkController < ApplicationController

  http_basic_authenticate_with :name => "dhh", :password => not_a_string, :except => :index

  puts "do more stuff"

end