Dart Hardcoded Password In Connection
Description
This detector identifies hardcoded passwords in Dart database connection methods. When passwords are embedded directly in source code rather than retrieved from secure configuration or environment variables, they pose a significant security risk as they can be exposed through source code repositories, logs, or binary analysis.
Detection Strategy
• The scanner first checks if any database library is imported in the Dart file using known prefixes
• It then examines all method calls to identify database connection methods (like database connection constructors or connection builders)
• For each database connection method found, the scanner analyzes the method arguments to locate password parameters
• A vulnerability is reported when a password argument contains a hardcoded string value instead of being dynamically retrieved from secure sources like environment variables or configuration files
Vulnerable code example
import 'package:mysql1/mysql1.dart';
import 'package:postgres/postgres.dart';
// VULNERABLE: Hardcoded password in database connection
void connectDatabase() async {
await MySqlConnection.connect(ConnectionSettings(
host: 'localhost',
user: 'root',...✅ Secure code example
import 'dart:io' show Platform;
import 'package:mysql1/mysql1.dart';
import 'package:postgres/postgres.dart';
// SAFE: Password from environment variable - externalized secret
void connectDatabase() async {
await MySqlConnection.connect(ConnectionSettings(
host: 'localhost',...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.