fix(test-tooling): use of hardcoded password #2766
Assignees
Labels
good-first-issue
Good for newcomers
good-first-issue-100-introductory
Hacktoberfest
Hacktoberfest participants are welcome to take a stab at issues marked with this label.
P4
Priority 4: Low
Security
Related to existing or potential security vulnerabilities
Tests
Anything related to tests be that automatic or manual, integration or unit, etc.
Comments
jagpreetsinghsasan
added
good-first-issue
|
Hi @jagpreetsinghsasan |
|
@ShatilKhan All yours! |
|
Similar issue occurs in openethereum test ledger as well: https://github.com/hyperledger/cacti/blob/main/packages/cactus-test-tooling/src/main/typescript/openethereum/openethereum-test-ledger.ts#L234 |
|
Can you assign me this issue. |
ashnashahgrover
added a commit
to ashnashahgrover/cacti
that referenced
this issue
Jul 22, 2024
Primary Changes ---------------- 1. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the newEthPersonalAccount function is not hardcoded. Fixes hyperledger#2766 Signed-off-by: ashnashahgrover <[email protected]>
5 tasks
ashnashahgrover
added a commit
to ashnashahgrover/cacti
that referenced
this issue
Aug 5, 2024
Primary Changes ---------------- 1. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the newEthPersonalAccount function is not hardcoded. Fixes hyperledger#2766 BREAKING CHANGE: A line exceeding 100 characters has been split into two lines. Signed-off-by: ashnashahgrover <[email protected]>
ashnashahgrover
added a commit
to ashnashahgrover/cacti
that referenced
this issue
Aug 5, 2024
Primary Changes ---------------- 1. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the newEthPersonalAccount function is not hardcoded. Fixes hyperledger#2766 BREAKING CHANGE: A line exceeding 100 characters has been split into two lines. Signed-off-by: ashnashahgrover <[email protected]>
ashnashahgrover
added a commit
to ashnashahgrover/cacti
that referenced
this issue
Aug 11, 2024
Primary Changes ---------------- 1. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the newEthPersonalAccount function is not hardcoded. Fixes hyperledger#2766 BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function defined in openethereum-test-ledger.ts. It was previously optional. Signed-off-by: ashnashahgrover <[email protected]>
ashnashahgrover
added a commit
to ashnashahgrover/cacti
that referenced
this issue
Aug 12, 2024
Primary Changes ---------------- 1. BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function defined in openethereum-test-ledger.ts. It was previously optional. 2. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the newEthPersonalAccount function is not hardcoded. Fixes hyperledger#2766 Signed-off-by: ashnashahgrover <[email protected]>
ashnashahgrover
added a commit
to ashnashahgrover/cacti
that referenced
this issue
Sep 3, 2024
Primary Changes ---------------- 1. BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function defined in openethereum-test-ledger.ts. It was previously optional. 2. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the newEthPersonalAccount function is not hardcoded. Fixes hyperledger#2766 Signed-off-by: ashnashahgrover <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Static source code assessment has picked up a potential vulnerability regarding use of hardcoded password.
The report from which the above information was summarized
Risk Rating: Low
Category: Sensitive data exposure
Description
The application codebase has string literal passwords embedded in the source code. This hardcoded value is used either to compare to user-provided credentials, or to authenticate downstream to a remote system (such as a database or a remote web service).
Impact
Hardcoded passwords expose the application to password leakage. If an attacker gains access to the source code, she will be able to steal the embedded passwords, and use them to impersonate a valid user. This could include impersonating end users to the application, or impersonating the application to a remote system, such as a database or a remote web service. Once the attacker succeeds in impersonating the user or application, she will have full access to the system, and be able to do anything the impersonated identity could do.
Remediation Recommendation
Do not hardcode any secret data in source code, especially not passwords. In particular, user passwords should be stored in a database or directory service, and protected with a strong password hash (e.g. bcrypt, scrypt, PBKDF2, or Argon2). Do not compare user passwords with a hardcoded value.
System passwords should be stored in a configuration file or the database, and protected with strong encryption (e.g. AES-256). Encryption keys should be securely managed, and not hardcoded.
Affected files (path - line number)
packages/cactus-test-tooling/src/main/typescript/openethereum/openethereum-test-ledger.ts - 236
Snapshot of the sourcecode at the time of scan
Source:
APP PE Hyperledger Cacti v2.0.0 - Static Application Assessment Report.odtcc: @takeutak @izuru0 @outSH @petermetz
The text was updated successfully, but these errors were encountered: