Dart Smtp Hardcoded Password
Description
This detector identifies hardcoded passwords in Dart SMTP server configurations using the mailer package. Hardcoded passwords in source code pose a significant security risk as they can be exposed through version control systems, code reviews, or reverse engineering, potentially granting unauthorized access to email services.
Detection Strategy
• The code must import the 'package:mailer' library
• A vulnerability is reported when SmtpServer constructors or positional factory methods contain hardcoded password arguments
• For SmtpServer constructor calls, the detector examines the constructor arguments to identify hardcoded password values
• For positional SMTP factory methods, the detector checks specific parameter positions known to accept password values
• The vulnerability is triggered when a string literal or other hardcoded value is found in password parameter positions rather than a variable or configuration reference
Vulnerable code example
import 'package:mailer/mailer.dart';
import 'package:mailer/smtp_server.dart';
import 'package:mailer/smtp_server/gmail.dart';
void vulnerableEmailConfig() {
// VULNERABLE: Hardcoded password in SMTP constructor
SmtpServer(
'smtp.example.com',...✅ Secure code example
import 'dart:io' show Platform;
import 'package:mailer/mailer.dart';
import 'package:mailer/smtp_server.dart';
import 'package:mailer/smtp_server/gmail.dart';
void secureEmailConfig() {
// SECURE: Password from environment variable
SmtpServer(...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.