[ ] Docker, single container deploying all components
[ ] npm run start
[X] Other (please specify below)
Backend (Jet Stream) Deployment type
[ ] Cloud Foundry Application (cf push)
[ ] Kubernetes, using a helm chart
[ ] Docker, single container deploying all components
[ ] Other (please specify below)
Expected behaviour
Rather than hard-coding the password directly in the code, encrypt it, place it in a secure location, and make the code obtain the password. You can place the user name and password in a hardened database server or in an encrypted file within a hardened file server.
Another technique is to use the password that the user provides when first logging into the application, and use that data for the password value. Note that any user input should be validated and sanitized before being used in the code. The following examples use the user provided login password to encrypt the JSONStore database.
Example Code
function initJSONStore(collection, loginPwd) {
var opt = {
username : "demo",
password : loginPwd
};
WL.JSONStore.init (collection, opt);
}
Example Code
function initJSONStore(collection, loginPwd) {
WL.JSONStore.usePassword(loginPwd);
...
}
Note that the WL.JSONStore.usePassword() method has been deprecated. Instead set the password in the password property of the options object that is passed into the WL.JSONStore.init() method.
Actual behaviour
The second argument to the WL.JSONStore.init() method or the first argument to the WL.JSONStore.usePassword() method contains a hard-coded password. This is dangerous if an attacker or a malicious internal employee could gain access to this code and locate the password in the code. The attacker could use it to break into the system with which that password is associated.
The following example shows a hardcoded password used to initialize an instance of a JSONStore:
Example Code
function initJSONStore(collection) {
var opt = {
username : "demo",
password : "demo"
};
WL.JSONStore.init(collection, opt);
}
This example shows a hardcoded password used to initialize an instance of a JSONStore using the deprecated usePassword() method:
anugu-vijaykanth
commented
3 years ago
Stratos Version
4.4.0
Frontend Deployment type
Backend (Jet Stream) Deployment type
Expected behaviour
Rather than hard-coding the password directly in the code, encrypt it, place it in a secure location, and make the code obtain the password. You can place the user name and password in a hardened database server or in an encrypted file within a hardened file server.
Another technique is to use the password that the user provides when first logging into the application, and use that data for the password value. Note that any user input should be validated and sanitized before being used in the code. The following examples use the user provided login password to encrypt the JSONStore database.
Example Code function initJSONStore(collection, loginPwd) { var opt = { username : "demo", password : loginPwd };
WL.JSONStore.init (collection, opt); } Example Code
function initJSONStore(collection, loginPwd) { WL.JSONStore.usePassword(loginPwd); ... } Note that the WL.JSONStore.usePassword() method has been deprecated. Instead set the password in the password property of the options object that is passed into the WL.JSONStore.init() method.
Actual behaviour
The second argument to the WL.JSONStore.init() method or the first argument to the WL.JSONStore.usePassword() method contains a hard-coded password. This is dangerous if an attacker or a malicious internal employee could gain access to this code and locate the password in the code. The attacker could use it to break into the system with which that password is associated.
The following example shows a hardcoded password used to initialize an instance of a JSONStore:
Example Code function initJSONStore(collection) { var opt = { username : "demo", password : "demo" };
WL.JSONStore.init(collection, opt); } This example shows a hardcoded password used to initialize an instance of a JSONStore using the deprecated usePassword() method:
Example Code WL.JSONStore.usePassword("demo");
Steps to reproduce the behavior
cfmr-ui\src\test-e2e\endpoints\endpoints-register-e2e.spec.ts:233
Log output covering before error and any error statements
Detailed Description
Found hard coded password in JSON Store
Context
Possible Implementation