Hard-coded sensitive data

Sensitive data is exposed in code, for instance as string literals

Since R2020a

Description

This defect occurs when data that is potentially sensitive is directly exposed in the code, for instance, as string literals. The checker identifies certain data as sensitive from their use in certain functions such as password encryption functions.

Following data can be potentially sensitive.

Type of Data	Functions That Indicate Sensitive Nature of Information
Host name	`sethostname`, `setdomainname`, `gethostbyname`, `gethostbyname2`, `getaddrinfo`, `gethostbyname_r`, `gethostbyname2_r` (string argument) `inet_aton`, `inet_pton`, `inet_net_pton`, `inet_addr`, `inet_network` (string argument) `mysql_real_connect`, `mysql_real_connect_nonblocking`, `mysql_connect` (2nd argument)
Password	`CreateProcessWithLogonW`, `LogonUser` (1st argument) `mysql_real_connect`, `mysql_real_connect_nonblocking`, `mysql_connect` (3rd argument)
Database	MySQL: `mysql_real_connect`, `mysql_real_connect_nonblocking`, `mysql_connect` (4th argument) SQLite: `sqlite3_open`, `sqlite3_open16`, `sqlite3_open_v2` (1st argument) PostgreSQL: `PQconnectdb` Microsoft SQL: `SQLDriverConnect` (3rd argument)
User name	`getpw`, `getpwnam`, `getpwnam_r`, `getpwuid`, `getpwuid_r`
Salt	`crypt`, `crypt_r` (2nd argument)
Cryptography keys and initialization vectors	OpenSSL: `EVP_CipherInit`, `EVP_EncryptInit`, `EVP_DecryptInit` (3rd argument) `EVP_CipherInit_ex`, `EVP_EncryptInit_ex`, `EVP_DecryptInit_ex` (4th argument)
Seed	`srand`, `srandom`, `initstate` (1st argument) OpenSSL: `RAND_seed`, `RAND_add`

Risk

Information that is hardcoded can be queried from binaries generated from the code.

Fix

Avoid hard coding sensitive information.

Examples

expand all

Sensitive Data Exposed Through String Literals

// Typically, you include the header "mysql.h" with function and type declarations.
// In this example, only the required lines from the header are quoted.

typedef struct _MYSQL MYSQL;

MYSQL *mysql_real_connect(MYSQL *mysql,
                          const char *host, const char *user, const char *passwd,
                          const char *db, unsigned int port, const char *unix_socket,
                          unsigned long client_flag);

typedef void * DbHandle;
extern MYSQL *sql;

// File that uses functions from "mysql.h" 
const char *host = "localhost";
char *user = "guest";
char *passwd;

DbHandle connect_to_database_server(const char *db)
{
    passwd = (char*)"guest";
    return (DbHandle)
        mysql_real_connect (sql, host, user, passwd, db, 0, 0x0, 0);
}

In this example, the arguments host (host name), user (user name), and passwd (password) are string literals and directly exposed in the code.

Querying the generated binary for ASCII strings can reveal this information.

Correction – Read Sensitive Data from Secured Configuration Files

One possible correction is to read the data from a configuration file. In the following corrected example, the call to function connect_to_database_server_init presumably reads the host name, user name, and password into its arguments from a secured configuration file.

// Typically, you include the header "mysql.h" with function and type declarations.
// In this example, only the required lines from the header are quoted.

typedef struct _MYSQL MYSQL;

MYSQL *mysql_real_connect(MYSQL *mysql,
                          const char *host, const char *user, const char *passwd,
                          const char *db, unsigned int port, const char *unix_socket,
                          unsigned long client_flag);

typedef void * DbHandle;
extern MYSQL *sql;

// File that uses functions from "mysql.h" 

int connect_to_database_server_init(const char **host,
                                    const char **user,
                                    const char **passwd,
                                    const char **db);

DbHandle connect_to_database_server(const char *db)
{
    const char *host_from_cfg;
    const char *user_from_cfg;
    const char *passwd_from_cfg;
    const char *db_from_cfg;
    if (connect_to_database_server_init(&host_from_cfg,
                                        &user_from_cfg,
                                        &passwd_from_cfg,
                                        &db_from_cfg))
    {
        return (DbHandle)
            mysql_real_connect (sql, host_from_cfg, user_from_cfg, 
                        passwd_from_cfg, db_from_cfg,  0, 0x0, 0);
    }
    else
        return (DbHandle)0x0;
}

Result Information

Group: Security

Language: C | C++

Default: Off

Command-Line Syntax: HARD_CODED_SENSITIVE_DATA

Impact: Medium

Version History

Introduced in R2020a