PVS-Studio memasuki pertempuran dengan kata sandi hardcode

PVS-Studio adalah penganalisis statis yang memungkinkan Anda mendeteksi banyak masalah yang tersembunyi di kode sumber. Mereka juga menyertakan bug yang terkait dengan keamanan aplikasi. Misalnya, penganalisis baru-baru ini mempelajari cara mendeteksi keberadaan data rahasia dalam kode, seperti sandi. Kerentanan potensial ini ada dalam daftar Sepuluh Besar OWASP dan jauh lebih berbahaya daripada yang terlihat pada pandangan pertama. Apakah bahaya ini, dan bagaimana penganalisis statis dapat melindungi Anda darinya? Nah, artikel ini menulis tentang ini (dan tidak hanya)!

PVS-Studio SAST , , C, C++, C# Java. ( ) " PVS-Studio 2021 ".

SAST , . C#- . 2.10.4 OWASP Application Security Verification Standard (ASVS):

Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware TPM, or an HSM (L3) is recommended for password storage.

, , OWASP Top Ten. Common Weakness Enumeration (CWE) 2 , : CWE-798 CWE-259. – ?

– - , , . - : .

, . . , , , , . , .

, , . , . . , . . . – , , brute force . , .

: , / , . , . , , .

, , , , , . , , , , - – , . . Common Vulnerabilities and Exposures (CVE) , . , , .

, , , : CVE . – CVE-2012-5862. , CVE, "login.php", :

$password = mysql_escape_string($_POST['password']);

if (crypt($password,salt)=='satIZufhIrUfk'){
  $sql_pthr_ = "SELECT user,password FROM account WHERE livello = 0";
  ....
}

if ($password=='astridservice' and $stilecustumization=='astrid'){ // <=
  ....
}

if (crypt($password,salt)=='saF8bay.tvfOk'){
  $sql_insert="INSERT INTO account(user,password,livello,nome) VALUES  
               ('sinapsi','sinapsi','0','Amministratore Sinapsi')";
  ....
}

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, , , . , , .

C#- PVS-Studio V5601. , C#-, :

string password = request.GetPostValue("password");
....
if (password == "astridservice" && stilecustomization == "astrid") 
....

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, PVS-Studio :

V5601 Suspicious string literal could be a password: 'astridservice'. Storing credentials inside source code can lead to security issues.

, . , .

. , V5601 OWASP. PVS-Studio 7.12. OWASP- , , , , Visual Studio Rider .

– : . CVE-, . :

• CVE-2004-1920 – super- super-;

  
  
  
  
  

• CVE-2004-2556 – super- () -super- "5777364";

  
  
  
  
  

• CVE-2004-2557 – "" CVE-2004-2556 ( , super);

  
  
  
  
  

• CVE-2012-1288 – ;

  
  
  
  
  

• CVE-2012-2949 – Android

  
  
  
  
  

• . .

  
  
  
  
  

, – ( ). . , , , , . , .

pull request'. . , , . , . , pull request', (. " CI").

: , CI. - , . V5601, , .

, , . open-source – , , . , . , , - ? . , . , , "" , .

PVS-Studio : , , . , . V5601 – , , .

, PVS-Studio ? , . , , !

, : Nikita Lipilin. PVS-Studio Clashes with Hardcoded Passwords.