Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java code with hardcoded credentials #159

Closed
rafaelrenanpacheco opened this issue Nov 26, 2020 · 2 comments
Closed

Java code with hardcoded credentials #159

rafaelrenanpacheco opened this issue Nov 26, 2020 · 2 comments

Comments

@rafaelrenanpacheco
Copy link

What happened:

We are evaluating horusec using a Java project that have hardcoded credentials on it. When we run the analysis, horusec did not warned us the use of hardcoded credentials on our java file. Maybe we are missing some configuration, so I'm opening this issue to discuss the code below and to understand if it should be reported as a security issue by the horusec analysis.

This is the code with hardcoded credentials:

@Slf4j
@Service
public class ExampleService {

    private static final String P = "testhorusecpwd";

    private final ExampleFactory exampleFactory;

    public ExampleService(ExampleFactory exampleFactory) {
        this.exampleFactory = exampleFactory;
    }

    public ExampleResponse create(ExampleRequest request) {
        Example example = exampleFactory.toExample(request);

        ClientRequest clientRequest = exampleFactory.toClientRequest(example);

        ExampleResponse exampleResponse = new ExampleResponse();
        exampleResponse.setMessage(String.format("Document '%s' sent to Kafka", clientRequest.getCpf()));

        String url = "jdbc:mysql://localhost/test";
        String u = "horusroot";

        try {
            getConn(url, u, P);
        } catch (SQLException e) {
            log.error(e.getMessage());
        }

        return exampleResponse;
    }

    public static void getConn(String url, String v, String q) throws SQLException {
        DriverManager.getConnection(url, v, q);
    }
}

In this example we are setting a plain text password and using it to open a database connection. Shouldn't horusec identify these lines as a security issue?

Environment:

  • Horusec version: 1.5.0
  • Operating System: Ubuntu 18.04
@wiliansilvazup
Copy link
Contributor

wiliansilvazup commented Nov 26, 2020
edited
Loading

Tnks for your report @rafaelrenanpacheco

Currently at Horusec we only perform analyzes using the syntactic analysis method. With this we have some limitations and one of which we perform an analysis in search of exposed passwords based on the regexes below:

(?i)(set)?password\s*(.?=.?|\()\s*['|\"]\w+[[:print:]]*['|\"]
(?i)(set)?pass\s*(.?=.?|\()\s*['|\"]\w+[[:print:]]*['|\"]
(?i)(set)?pwd\s*(.?=.?|\()\s*['|\"]\w+[[:print:]]*['|\"]
(?i)(set)?passwd\s*(.?=.?|\()\s*['|\"]\w+[[:print:]]*['|\"]
(?i)(set)?senha\s*(.?=.?|\()\s*['|\"]\w+[[:print:]]*['|\"]

As in your case it is a variable P is a very generic name and can generate several false positives, let's check with the team the best way to implement it. The best option would be to be able to check if the variable is being used, but we currently don't have an option on our Horusec-Engine. We have already added this case to our roadmap.

@rafaelrenanpacheco
Copy link
Author

Hello @wiliansilvazup!

Thanks for the explanation, we will continue with our evaluation.

If I understood correctly, what is missing now is some kind of semantic analysis. Please let us know when horusec get semantic analysis in its engine.

Best regards,
Rafael Pacheco.

@shpandrade shpandrade mentioned this issue Dec 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rafaelrenanpacheco @wiliansilvazup