ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller
Verifed by r2c
Community Favorite
semgrep
Author
98,234
Download Count*
License
Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.
Run Locally
Run in CI
Defintion
rules:
- id: hardcoded-http-auth-in-controller
patterns:
- pattern-inside: |
class $CONTROLLER < ApplicationController
...
http_basic_authenticate_with ..., :password => "$SECRET", ...
end
- focus-metavariable: $SECRET
message: Detected hardcoded password used in basic authentication in a
controller class. Including this password in version control could expose
this credential. Consider refactoring to use environment variables or
configuration files.
severity: WARNING
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
owasp:
- A07:2021 - Identification and Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/basic_auth/index.markdown
category: security
technology:
- ruby
- secrets
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
languages:
- ruby
Examples
hardcoded-http-auth-in-controller.rb
class DangerousController < ApplicationController
# ruleid:hardcoded-http-auth-in-controller
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff"
end
# ok:hardcoded-http-auth-in-controller
class OkController < ApplicationController
http_basic_authenticate_with :name => "dhh", :password => not_a_string, :except => :index
puts "do more stuff"
end
Short Link: https://sg.run/6r0w