CodeQL documentation

Password in configuration file

ID: js/password-in-configuration-file
Kind: problem
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-256
   - external/cwe/cwe-260
   - external/cwe/cwe-313
Query suites:
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.

Recommendation

Passwords stored in configuration files should always be encrypted.

References

  • Common Weakness Enumeration: CWE-256.

  • Common Weakness Enumeration: CWE-260.

  • Common Weakness Enumeration: CWE-313.