logo

Database

Typescript Hardcoded Db Password

Description

Identifies database credentials that are hardcoded directly in source code rather than being loaded from secure configuration. Hardcoded database passwords in source code are a critical security risk since they can be extracted to gain unauthorized database access and often end up in version control systems.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

    Scans for string literals or constant values being used in database connection configurations and credentials

    Checks database-related function calls and connection strings for hardcoded password parameters

    Reports a vulnerability when credentials are specified as literal values in the code instead of being loaded from secure configuration

Vulnerable code example

import { Sequelize } from 'sequelize'\n\n// Security risk: Hardcoded database credentials exposed in source code\nconst sequelize = new Sequelize('my_database', 'db_user', 'P@ssw0rd!', {\n  dialect: 'postgres',\n  host: 'localhost',\n  port: 5432,\n  logging: false\n})\n\nexport default sequelize

✅ Secure code example

import { Sequelize, Options } from 'sequelize'\n\n// SAFE: Load database configuration from environment variables\nconst dbName = process.env.DB_NAME || 'my_database'\nconst dbUser = process.env.DB_USER || 'db_user'\nconst dbPass = process.env.DB_PASS || ''\nconst dbHost = process.env.DB_HOST || 'localhost'\nconst dbPort = Number(process.env.DB_PORT) || 5432\n\nconst options: Options = {\n  dialect: 'postgres',\n  host: dbHost,\n  port: dbPort,\n  logging: process.env.DB_LOGGING === 'true'\n}\n\nconst sequelize = new Sequelize(dbName, dbUser, dbPass, options)\n\nexport default sequelize