-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go: Consider more strings as hardcoded credentials #15924
Go: Consider more strings as hardcoded credentials #15924
Conversation
type = SensitiveExpr::password() and | ||
message = "Hard-coded credential." | ||
type = SensitiveExpr::secret() and | ||
message = "Hard-coded $@." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also changed this so that the alert contains a link to the source (i.e. the hard-coded string).
The source you linked to looks a lot like a dummy password... |
Yes. There's where the vulnerability is: that dummy password was used in production and attackers could forge JWT tokens because it was known (see CVE-2023-22463). The dummy password heuristic makes sense for things like But when dealing with hard-coded passwords, even if they're dummy, they're still used for sensitive things like authentication or cryptographic operations. Even an empty string would be a problem. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation. It all looks good. And thanks for improving the alert message in passing.
Using the heuristic for dummy passwords to discard sources in this query makes us miss sources like this one, so I think it's a good idea to remove the limitation.