A07:2021 - Identification and Authentication Failures

Use of Hard-coded Credentials

About

Securing sensitive data or credentials like:

• API credentials
• Session Secret Key
• DB Connection Credentials
• Security Tokens is a very important task for any application. If the credentials are not secured properly, then the attacker can easily access the sensitive data and misuse them.

Demo

1. In the root directory, run:

snyk code test

Among the results, you should see also a medium severity vulnerability: Use of Hardcoded Credentials.

2. We will use environment variables from .env file.
3. It should already contain following values:

# Database configuration
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=postgres
DB_NAME=hackhealthdb

4. In the file dbServer.ts, replace the hardcoded credentials with environment variables:
   It is already implemented in dbCreate.ts, dbDrop.ts and dbSeed.ts

Final implementation of dbServer.ts:

// Configure connection to database
 
import {Pool} from 'pg';
 
 
const pool = new Pool({
    host: process.env.DB_HOST,
    port: process.env.DB_PORT,
    user: process.env.DB_USER,
    password: process.env.DB_PASSWORD,
    database: process.env.DB_NAME,
})
 
export default pool;

5. After replacing the credentials with environment variables in affected file, this vulnerability should be gone after running snyk code test again.

Prevention

Credentials should never be hard-coded in the application. One of the practices is to use environment variables. Other ways to prevent this vulnerability are:

• Use of a credential manager
• Use of a key management system
• Use of a password vault

In real-world applications, it is recommended to use the methods mentioned above rather than environment variables.

Sources

• https://www.geeksforgeeks.org/where-should-secret-keys-should-be-stored-for-a-node-js-app/ (opens in a new tab)