Hardcoded credentials can be intercepted by malicious actors. Even after removing them from the code, they may still pose a risk because an attacker might have recorded them to use them at a later point in time.
1
2function nonCompliant() {
3 var crypto = require("crypto");
4 function hardcodedCredentialsNoncompliant(
5 salt: any,
6 iterations: any,
7 keyLen: any,
8 digest: any,
9 ) {
10 // Noncompliant: password is hardcoded.
11 crypto.pbkdf2(
12 "password",
13 salt,
14 iterations,
15 keyLen,
16 digest,
17 (err: any, key: { toString: (arg0: string) => any }) => {
18 if (err) {
19 throw err;
20 }
21 return key.toString("base64");
22 },
23 );
24 }
25}
1
2function compliant() {
3 var crypto = require("crypto");
4 function hardcodedCredentialsCompliant(
5 salt: any,
6 iterations: any,
7 keyLen: any,
8 digest: any,
9 ) {
10 // Compliant: password is obtained from environment.
11 crypto.pbkdf2(
12 process.env.password,
13 salt,
14 iterations,
15 keyLen,
16 digest,
17 (err: any, key: { toString: (arg0: string) => any }) => {
18 if (err) {
19 throw err;
20 }
21 return key.toString("base64");
22 },
23 );
24 }
25}