Password in configuration file¶
ID: js/password-in-configuration-file
Kind: problem
Security severity: 7.5
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-256
- external/cwe/cwe-260
- external/cwe/cwe-313
- external/cwe/cwe-522
Query suites:
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.
Recommendation¶
Passwords stored in configuration files should always be encrypted.