-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathHardcodedCredentials.cs
More file actions
108 lines (93 loc) · 3.91 KB
/
HardcodedCredentials.cs
File metadata and controls
108 lines (93 loc) · 3.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
// semmle-extractor-options: /r:${testdir}/../../../resources/assemblies/System.Web.dll /r:${testdir}/../../../resources/assemblies/System.Web.ApplicationServices.dll /r:${testdir}/../../../resources/assemblies/System.Data.dll /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Data.Common.dll /r:System.Security.Cryptography.X509Certificates.dll /r:System.Runtime.InteropServices.dll
using System;
using System.Data.SqlClient;
using System.Web;
using System.Web.Security;
using System.Security.Cryptography.X509Certificates;
public class HardcodedHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
string password = ctx.Request.QueryString["password"];
// BAD: Inbound authentication made by comparison to string literal
if (password == "myPa55word")
{
ctx.Response.Redirect("login");
}
string hashedPassword = LoadPasswordFromSecretConfig();
// GOOD: the password is checked
if (VerifyHashedPassword(hashedPassword, password))
{
ctx.Response.Redirect("login");
}
// BAD: Create a membership user with hardcoded username
MembershipUser user = new MembershipUser(
providerName: "provider",
name: "username",
providerUserKey: "username",
email: "foo@bar.com",
passwordQuestion: "Hardcoded question.",
comment: "",
isApproved: true,
isLockedOut: false,
creationDate: DateTime.Now,
lastLoginDate: DateTime.Now,
lastActivityDate: DateTime.Now,
lastPasswordChangedDate: DateTime.Now,
lastLockoutDate: DateTime.Now
);
// BAD: Set the password to a hardcoded string literal
user.ChangePassword(password, "myNewPa55word");
byte[] rawCertData = new byte[] { 0x20, 0x20, 0x20 };
// BAD: Passing a literal certificate and password to an X509 certificate constructor
X509Certificate2 cert = new X509Certificate2(
rawCertData,
"myPa55word");
// BAD: Passing literal Password to connection string
SqlConnection conn = new SqlConnection("Password=12345");
// BAD: Passing literal User Id to connection string
SqlConnection conn2 = new SqlConnection("User Id=12345");
// GOOD: Password is not specified literally
SqlConnection conn3 = new SqlConnection("Password=" + LoadPasswordFromSecretConfig() + ";");
// SANITIZERS:
// GOOD: Password is not set literally, and the replace characters should not be considered as sources
X509Certificate2 cert2 = new X509Certificate2(
"cert.cert",
LoadPasswordFromSecretConfig().Replace("=", "\\="));
// GOOD: Password is not set literally, and ToString
X509Certificate2 cert3 = new X509Certificate2(
"cert.cert",
new Foo().ToString());
// GOOD: Password is not set literally
conn = new SqlConnection(string.Format("Password={0}", LoadPasswordFromSecretConfig()));
conn = new SqlConnection($"Password={LoadPasswordFromSecretConfig()}");
// BAD: Hard-coded user
Membership.CreateUser("myusername", "mypassword");
}
class Foo
{
string ToString()
{
// We don't consider this hard-coded data - too many ToString implementations include
// string literal construction
return "Foo";
}
}
public string LoadPasswordFromSecretConfig()
{
return null;
}
public static bool VerifyHashedPassword(string hashedPassword, string password)
{
// API provided by System.Web.Helpers.Crypto.VerifyHashedPassword
// but that assembly not available on Mono.
return true;
}
public bool IsReusable
{
get
{
return true;
}
}
}