Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use of hard-coded passwords is a bad practice #249

Open
wants to merge 3 commits into
base: v0.5.x
Choose a base branch
from

Conversation

akondasif
Copy link

I am a security researcher, who is looking for security smells in Puppet scripts.
I noticed two instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.
I have added hiera support to mitigate this smell. Feedback is welcome.

Here is where I noticed hard-coded passwords: https://github.com/biemond/biemond-wildfly/blob/v0.5.x/manifests/params.pp

remove hard-coded passwords using hiera
adding hiera support
@coveralls
Copy link

coveralls commented Jul 14, 2018

Coverage Status

Coverage increased (+3.0%) to 23.447% when pulling 5c4dba0 on akondasif:v0.5.x into 8d1593a on biemond:v0.5.x.

@jairojunior
Copy link
Collaborator

Thank you, but calling hiera functions is a Puppet bad practice: "https://puppet.com/docs/puppet/5.5/style_guide.html

"You should avoid using calls to Hiera functions in modules meant for public consumption, because not all users have implemented Hiera. Instead, we recommend using parameters that can be overridden with Hiera."

I guess the proper way to address both your point and Hiera best practice would be to force users to define this parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants