Elixir Mongo Hardcoded Credentials
Description
This detector identifies hardcoded MongoDB credentials in Elixir applications. When MongoDB connection credentials like usernames, passwords, or connection strings are embedded directly in the source code, they pose a significant security risk as they can be exposed in version control systems, logs, or to anyone with access to the codebase.
Detection Strategy
• Scans Elixir source code for MongoDB connection calls using Mongo.start_link function
• Analyzes the parameters passed to Mongo.start_link to detect hardcoded credential values
• Reports a vulnerability when authentication parameters (username, password, connection string with credentials) contain literal string values instead of variables or environment references
• Triggers on any Mongo.start_link call where credentials are directly embedded in the code rather than externally configured
Vulnerable code example
defmodule MyApp.Mongo do
def connect_hardcoded do
Mongo.start_link(
username: "admin",
password: "SuperSecret123" # Hardcoded credential in MongoDB connection
)
end
...✅ Secure code example
defmodule MyApp.Mongo do
def connect_hardcoded do
Mongo.start_link(
username: "admin",
password: System.fetch_env!("MONGO_PASSWORD") # Safe: password from environment
)
end
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.