Audit required: found possible occurrence of secret in source CXX-A1004
This issue attempts to uncover cases of sensitive information, such as passwords, encryption keys, or other confidential data, being hardcoded into the source code and shipped with the software.
This is a serious security issue because if the source code is accessible, the secret information can be easily extracted by attackers.
For example, if an attacker gains access to the source code of a software application that has a hardcoded password, they can use that password to gain unauthorized access to the system or to sensitive data.
It's generally recommended that sensitive information should not be stored in the source code, and that it should be stored in a separate configuration file, environment variable, or other secure location. Additionally, proper encryption and access control should be used to protect sensitive information.
In C & C++, you can avoid this weakness by using libraries or functions
that handle secret information securely, such as Win32 API function
GetEnvironmentVariable(..).
Additionally, you can use secure coding practices, such as avoiding hardcoded secrets and securing memory allocations, to ensure that sensitive information is protected.
Bad practice
bool loginAsRoot(const std::string& userName,
const std::string& password)
{
if (userName == "root" && password == "root_user_password") {
// ....
return true;
}
return false;
}
Recommended
bool loginAsRoot(const Secrets& secret,
const std::string& userName,
const std::string& password)
{
if (userName == secret.rootUserName && password == secret.rootPassword) {
// ....
return true;
}
return false;