DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Secrets

Secrets

Made by DeepSource
Use Analyzer

Hardcoded Clojars API token in source code SCT-1040

Secrets
Critical

A hardcoded Clojars API token can allow an attacker to publish malicious packages to the repository. If the API token has been leaked, it is recommended to reset the token from the Clojars dashboard.

To fix this issue, it is recommended to use environment variables to store the API token. This practice ensures that the token is not hardcoded in the source code and is kept separate from the codebase. Using environment variables also makes it easier to manage the API token as it can be updated without modifying the source code.

Bad practice

(defn publish-to-clojars [group-id artifact-id version packaging file]
  (let [repository "https://clojars.org/repo/"
        username "username"
        password "my-api-token"
        pom (clojure.java.io/file file)
        jar (clojure.java.io/file (.getParent file) (str artifact-id "-" version ".jar"))
        coords (str group-id "/" artifact-id "/" version)]
    (with-open [out (java.io.ByteArrayOutputStream.)]
      (.waitFor (doto (.exec (clojure.java.shell/sh "curl"
                                                     "-X" "PUT"
                                                     "-u" (str username ":" password)
                                                     "-F" (str "file=@" jar)
                                                     "-F" (str "pom=@" pom)
                                                     (str repository coords packaging)))
                    (.redirectErrorStream true)
                    (.getInputStream)))
      (let [response (.toString out "UTF-8")]
        (if (.contains response "could not upload") (throw (Exception. response))))
      (.flush out))))

(publish-to-clojars "my-group-id" "my-artifact-id" "1.0.0" "jar" "path/to/my/artifact.jar")

Recommended

(defn publish-to-clojars [group-id artifact-id version packaging file]
  (let [repository "https://clojars.org/repo/"
        username "username"
        password (System/getenv "CLOJARS_API_TOKEN")
        pom (clojure.java.io/file file)
        jar (clojure.java.io/file (.getParent file) (str artifact-id "-" version ".jar"))
        coords (str group-id "/" artifact-id "/" version)]
    (with-open [out (java.io.ByteArrayOutputStream.)]
      (.waitFor (doto (.exec (clojure.java.shell/sh "curl"
                                                     "-X" "PUT"
                                                     "-u" (str username ":" password)
                                                     "-F" (str "file=@" jar)
                                                     "-F" (str "pom=@" pom)
                                                     (str repository coords packaging)))
                    (.redirectErrorStream true)
                    (.getInputStream)))
      (let [response (.toString out "UTF-8")]
        (if (.contains response "could not upload") (throw (Exception. response))))
      (.flush out))))

(publish-to-clojars "my-group-id" "my-artifact-id" "1.0.0" "jar" "path/to/my/artifact.jar")