Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(test-tooling): use of hardcoded password #2766

Closed
jagpreetsinghsasan opened this issue Oct 11, 2023 · 4 comments · Fixed by #3428
Closed

fix(test-tooling): use of hardcoded password #2766

jagpreetsinghsasan opened this issue Oct 11, 2023 · 4 comments · Fixed by #3428
Assignees
@ashnashahgrover
Labels
good-first-issue Good for newcomers good-first-issue-100-introductory Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P4 Priority 4: Low Security Related to existing or potential security vulnerabilities Tests Anything related to tests be that automatic or manual, integration or unit, etc.

Comments

@jagpreetsinghsasan
Copy link
Contributor

Description

Static source code assessment has picked up a potential vulnerability regarding use of hardcoded password.

The report from which the above information was summarized

Risk Rating: Low
Category: Sensitive data exposure

Description

The application codebase has string literal passwords embedded in the source code. This hardcoded value is used either to compare to user-provided credentials, or to authenticate downstream to a remote system (such as a database or a remote web service).  

Impact

Hardcoded passwords expose the application to password leakage. If an attacker gains access to the source code, she will be able to steal the embedded passwords, and use them to impersonate a valid user. This could include impersonating end users to the application, or impersonating the application to a remote system, such as a database or a remote web service. Once the attacker succeeds in impersonating the user or application, she will have full access to the system, and be able to do anything the impersonated identity could do.

Remediation Recommendation

Do not hardcode any secret data in source code, especially not passwords. In particular, user passwords should be stored in a database or directory service, and protected with a strong password hash (e.g. bcrypt, scrypt, PBKDF2, or Argon2). Do not compare user passwords with a hardcoded value. 
System passwords should be stored in a configuration file or the database, and protected with strong encryption (e.g. AES-256). Encryption keys should be securely managed, and not hardcoded.

Affected files (path - line number)

packages/cactus-test-tooling/src/main/typescript/openethereum/openethereum-test-ledger.ts - 236

Snapshot of the sourcecode at the time of scan

image ---

Source: APP PE Hyperledger Cacti v2.0.0 - Static Application Assessment Report.odt

cc: @takeutak @izuru0 @outSH @petermetz
@jagpreetsinghsasan jagpreetsinghsasan added good-first-issue Good for newcomers Security Related to existing or potential security vulnerabilities Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. good-first-issue-100-introductory Tests Anything related to tests be that automatic or manual, integration or unit, etc. P4 Priority 4: Low labels Oct 11, 2023
@ShatilKhan
Copy link

Hi @jagpreetsinghsasan
Please assign me this issue

@petermetz
Copy link
Contributor

@ShatilKhan All yours!

@outSH
Copy link
Contributor

outSH commented Oct 16, 2023

@petermetz @ShatilKhan

Similar issue occurs in openethereum test ledger as well: https://github.com/hyperledger/cacti/blob/main/packages/cactus-test-tooling/src/main/typescript/openethereum/openethereum-test-ledger.ts#L234

@ashnashahgrover
Copy link
Contributor

Can you assign me this issue.

@jagpreetsinghsasan jagpreetsinghsasan moved this from Todo to In Progress in Cacti_Scrum_Project_v2_Release Jul 15, 2024
ashnashahgrover added a commit to ashnashahgrover/cacti that referenced this issue Jul 22, 2024
@ashnashahgrover
fix(test-tooling): use of hardcoded password
7770506 
Primary Changes
----------------
1. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

Signed-off-by: ashnashahgrover <as19@williams.edu>
@ashnashahgrover ashnashahgrover mentioned this issue Jul 22, 2024
Merged
5 tasks
@jagpreetsinghsasan jagpreetsinghsasan moved this from In Progress to In review in Cacti_Scrum_Project_v2_Release Aug 1, 2024
ashnashahgrover added a commit to ashnashahgrover/cacti that referenced this issue Aug 5, 2024
@ashnashahgrover
fix(test-tooling): use of hardcoded password
67e9390 
Primary Changes
----------------
1. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the
newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

BREAKING CHANGE: A line exceeding 100 characters has been split into two lines.

Signed-off-by: ashnashahgrover <as19@williams.edu>
ashnashahgrover added a commit to ashnashahgrover/cacti that referenced this issue Aug 5, 2024
@ashnashahgrover
fix(test-tooling): use of hardcoded password
8bdc830 
Primary Changes
----------------
1. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the
newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

BREAKING CHANGE: A line exceeding 100 characters has been split into two lines.

Signed-off-by: ashnashahgrover <as19@williams.edu>
ashnashahgrover added a commit to ashnashahgrover/cacti that referenced this issue Aug 11, 2024
@ashnashahgrover
fix(test-tooling): use of hardcoded password
fc55bca 
Primary Changes
----------------
1. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the
newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function
defined in openethereum-test-ledger.ts. It was previously optional.

Signed-off-by: ashnashahgrover <as19@williams.edu>
ashnashahgrover added a commit to ashnashahgrover/cacti that referenced this issue Aug 12, 2024
@ashnashahgrover
fix(test-tooling): use of hardcoded password
a6778b1 
Primary Changes
----------------
1. BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function
defined in openethereum-test-ledger.ts. It was previously optional.
2. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the
newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

Signed-off-by: ashnashahgrover <as19@williams.edu>
ashnashahgrover added a commit to ashnashahgrover/cacti that referenced this issue Sep 3, 2024
@ashnashahgrover
fix(test-tooling): use of hardcoded password
e187a84 
Primary Changes
----------------
1. BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function
defined in openethereum-test-ledger.ts. It was previously optional.
2. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the
newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

Signed-off-by: ashnashahgrover <as19@williams.edu>
ashnashahgrover added a commit to ashnashahgrover/cacti that referenced this issue Sep 21, 2024
@ashnashahgrover
fix(test-tooling): use of hardcoded password
3c8404b 
Primary Changes
----------------
1. BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function
defined in openethereum-test-ledger.ts. It was previously optional.
2. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the
newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

Signed-off-by: ashnashahgrover <as19@williams.edu>
petermetz pushed a commit to ashnashahgrover/cacti that referenced this issue Oct 3, 2024
@ashnashahgrover @petermetz
fix(test-tooling): use of hardcoded password
e8c01fa 
Primary Changes
----------------
1. BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function
defined in openethereum-test-ledger.ts. It was previously optional.
2. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the
newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

Signed-off-by: ashnashahgrover <as19@williams.edu>
@github-project-automation github-project-automation bot moved this from In review to Done in Cacti_Scrum_Project_v2_Release Oct 3, 2024
aldousalvarez pushed a commit to aldousalvarez/cactus that referenced this issue Oct 4, 2024
@ashnashahgrover @aldousalvarez
fix(test-tooling): use of hardcoded password
6074e72 
Primary Changes
----------------
1. BREAKING CHANGE: "password" is now a mandatory parameter of the newEthPersonalAccount function
defined in openethereum-test-ledger.ts. It was previously optional.
2. Updated line 236 in openethereum-test-ledger.ts so the default password argument to the
newEthPersonalAccount function is not hardcoded.

Fixes hyperledger-cacti#2766

Signed-off-by: ashnashahgrover <as19@williams.edu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashnashahgrover ashnashahgrover

Labels
good-first-issue Good for newcomers good-first-issue-100-introductory Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P4 Priority 4: Low Security Related to existing or potential security vulnerabilities Tests Anything related to tests be that automatic or manual, integration or unit, etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(test-tooling): use of hardcoded password ashnashahgrover/cacti
5 participants
@petermetz @outSH @ashnashahgrover @ShatilKhan @jagpreetsinghsasan