Hardcoded credentials Critical

Hardcoded credentials can be intercepted by malicious actors. Even after removing them from the code, they may still pose a risk because an attacker might have recorded them to use them at a later point in time.

Detector ID
typescript/hardcoded-credentials@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1
2function nonCompliant() {
3  var crypto = require("crypto");
4  function hardcodedCredentialsNoncompliant(
5    salt: any,
6    iterations: any,
7    keyLen: any,
8    digest: any,
9  ) {
10    // Noncompliant: password is hardcoded.
11    crypto.pbkdf2(
12      "password",
13      salt,
14      iterations,
15      keyLen,
16      digest,
17      (err: any, key: { toString: (arg0: string) => any }) => {
18        if (err) {
19          throw err;
20        }
21        return key.toString("base64");
22      },
23    );
24  }
25}

Compliant example

1
2function compliant() {
3  var crypto = require("crypto");
4  function hardcodedCredentialsCompliant(
5    salt: any,
6    iterations: any,
7    keyLen: any,
8    digest: any,
9  ) {
10    // Compliant: password is obtained from environment.
11    crypto.pbkdf2(
12      process.env.password,
13      salt,
14      iterations,
15      keyLen,
16      digest,
17      (err: any, key: { toString: (arg0: string) => any }) => {
18        if (err) {
19          throw err;
20        }
21        return key.toString("base64");
22      },
23    );
24  }
25}