Ruby Unsafe Hardcoded Password
Description
Detects hardcoded passwords in Ruby code when establishing database connections or making HTTP requests with basic authentication. This practice exposes sensitive credentials in source code, which could lead to unauthorized database access if the code is compromised.
Detection Strategy
• Check if any database or HTTP libraries are imported (pg, mysql2, redis, mongo, net/http)
• Look for database connection calls using methods like 'connect' or 'new' with PG::Connection, Mysql2::Client, Redis, or Mongo::Client
• Search for HTTP requests using basic authentication via the basic_auth method
• Examine method arguments to identify hardcoded password strings in database connections or basic auth credentials
• Flag any connection attempts where passwords are directly written in the code rather than loaded from configuration or environment variables
Vulnerable code example
require "pg"
# Hardcoded database credentials expose sensitive information
conn = PG.connect(
host: "localhost",
dbname: "users",
user: "postgres",
password: "postgres123" # Vulnerable: Hardcoded credential in source code...✅ Secure code example
require "pg"
# Use environment variables to protect sensitive credentials
conn = PG.connect(
host: ENV["PG_HOST"],
dbname: ENV["PG_DB"],
user: ENV["PG_USER"],
password: ENV["PG_PASSWORD"] # Secure: Credentials from environment variables...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.