Use of Hardcoded, Security-relevant Constants

i2p / i2p.i2p

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.

https://geti2p.net

Other

2k stars 309 forks source link

Use of Hardcoded, Security-relevant Constants #64

Closed s-b-repo closed 11 months ago

s-b-repo commented 11 months ago

private static final String PROP_LS_SPK = "i2cp.leaseSetSigningPrivateKey";
// LS 2
public static final String PROP_LS_TYPE = "i2cp.leaseSetType";
private static final String PROP_LS_ENCTYPE = "i2cp.leaseSetEncType";
private static final String PROP_SECRET = "i2cp.leaseSetSecret";

line:70 Avoid hardcoding values that are meant to be secret. Found hardcoded secret.

core/java/src/net/i2p/client/impl/RequestLeaseSetMessageHandler.java#L70)

eyedeekay commented 11 months ago

Not a bug. This is a the name of a property which is stored in a configuration file, format would be i2cp.leaseSetSecret=secret. It is not the value of the property, which is the actual secret.