CodeQL queries 1.24

Skip to end of metadata
Go to start of metadata

Name: Password in configuration file

Description: Finds passwords in configuration files.

ID: cs/password-in-configuration

Kind: problem

Severity: warning

Precision: medium

Query: PasswordInConfigurationFile.ql
/**
 * @name Password in configuration file
 * @description Finds passwords in configuration files.
 * @kind problem
 * @problem.severity warning
 * @precision medium
 * @id cs/password-in-configuration
 * @tags security
 *       external/cwe/cwe-13
 *       external/cwe/cwe-256
 *       external/cwe/cwe-313
 */

import csharp

from XMLAttribute a
where
  a.getName().toLowerCase() = "password" and not a.getValue() = ""
  or
  a.getName().toLowerCase() = "pwd" and not a.getValue() = ""
  or
  a.getValue().regexpMatch("(?is).*(pwd|password)\\s*=(?!\\s*;).*")
select a, "Avoid plaintext passwords in configuration files."

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.

Recommendation

Passwords stored in configuration files should be encrypted.

References
  • Common Weakness Enumeration: CWE-13.
  • Common Weakness Enumeration: CWE-256.
  • Common Weakness Enumeration: CWE-313.