JavaScript

JavaScript

Made by DeepSource

Found hardcoded credentials in source code JS-S1021

Security
Critical
a02 cwe-798 sans top 25 owasp top 10 cwe-259

Having hardcoded credentials in your source code, like passwords, tokens, and API keys can lead to security vulnerabilities, even if the source repo is private, and/or self-hosted.

As a best practice, it is recommended to use environment variables. In JavaScript, the convention is to use the dotenv package to read secrets from a .env file.

Bad Practice

import { initializeApp } from "firebase/app";
const app = initializeApp({
  apiKey: "<YOUR_API_KEY_AS_A_STRING_LITERAL>",
  // ^ This setting here may be exposed in error message stack traces etc.
  appId: "1:2729...",
  projectId: "firebase-project",
  databaseURL: "https://<app>.firebaseio.com",
  // ...
});
import mysql from "mysql";

const conn = mysql.createConnection({
  host: "<url>",
  user: "bob",
  password: "ABc-07"
});

Recommended

import { initializeApp } from "firebase/app";
import dotenv from "dotenv"

// loads the variables definied in a `.env` file into the environment
dotenv.config()

const app = initializeApp({
  apiKey: process.env.FIREBASE_API_KEY
  appId: "1:2729...",
  projectId: "firebase-project",
  databaseURL: "https://<app>.firebaseio.com",
  // ...
});
import mysql from "mysql"
import dotenv from "dotenv"

dotenv.config();

const conn = mysql.createConnection({
  host: process.env.SQL_HOST,
  user: process.env.SQL_USER,
  password: process.env.SQL_PASSWORD
});

References