logo

Database

Elixir Redis Hardcoded Credentials

Description

This detector identifies hardcoded credentials in Elixir Redis connections using the Redix.start_link function. When database credentials are hardcoded directly in source code, they become visible to anyone with access to the codebase and cannot be easily rotated, creating significant security risks. Hardcoded credentials are particularly dangerous as they may be inadvertently exposed through version control systems or shared codebases.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

    Reports when code contains a call to the Redix.start_link function in Elixir

    The first argument passed to Redix.start_link contains hardcoded credential information

    Credentials are detected as literal strings or other hardcoded values rather than being retrieved from environment variables, configuration files, or other secure credential management systems

    This applies to Redis connection strings that include authentication details like passwords or API keys embedded directly in the source code

Vulnerable code example

# Vulnerable: hardcoded password in URI
Redix.start_link("redis://:myPassword123@localhost:6379")

# Vulnerable: password option with literal value
Redix.start_link(
  host: "localhost",
  password: "hardcodedSecret"
)

✅ Secure code example

# Secure: password from environment variable
Redix.start_link(System.fetch_env!("REDIS_URL"))

# Secure: password option from environment
Redix.start_link(
  host: "localhost",
  password: System.fetch_env!("REDIS_PASSWORD") # Fetch from env instead of hardcoding
)