Elixir Redis Hardcoded Credentials
Description
This detector identifies hardcoded credentials in Elixir Redis connections using the Redix.start_link function. When database credentials are hardcoded directly in source code, they become visible to anyone with access to the codebase and cannot be easily rotated, creating significant security risks. Hardcoded credentials are particularly dangerous as they may be inadvertently exposed through version control systems or shared codebases.
Detection Strategy
• Reports when code contains a call to the Redix.start_link function in Elixir
• The first argument passed to Redix.start_link contains hardcoded credential information
• Credentials are detected as literal strings or other hardcoded values rather than being retrieved from environment variables, configuration files, or other secure credential management systems
• This applies to Redis connection strings that include authentication details like passwords or API keys embedded directly in the source code
Vulnerable code example
# Vulnerable: hardcoded password in URI
Redix.start_link("redis://:myPassword123@localhost:6379")
# Vulnerable: password option with literal value
Redix.start_link(
host: "localhost",
password: "hardcodedSecret"
)✅ Secure code example
# Secure: password from environment variable
Redix.start_link(System.fetch_env!("REDIS_URL"))
# Secure: password option from environment
Redix.start_link(
host: "localhost",
password: System.fetch_env!("REDIS_PASSWORD") # Fetch from env instead of hardcoding
)Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.