Elixir Cassandra Hardcoded Credentials
Description
This detector identifies hardcoded credentials in Elixir Cassandra database connections using the Xandra library. Hardcoded authentication credentials in source code pose a significant security risk as they can be exposed in version control systems, logs, or to unauthorized personnel with code access.
Detection Strategy
• Scans Elixir source files for calls to the Xandra.start_link function which establishes Cassandra database connections
• Examines the authentication parameter passed to Xandra.start_link to check if credentials are provided
• Reports a vulnerability when authentication credentials (username/password) are hardcoded as literal string values in the source code rather than being retrieved from environment variables, configuration files, or secure credential stores
Vulnerable code example
defmodule MyApp.CassandraConnection do
def connect do
Xandra.start_link(
nodes: ["127.0.0.1:9042"],
# Vulnerable: hardcoded Cassandra credentials
authentication: {Xandra.Authenticator.Password, [username: "cassandra", password: "SuperSecret123"]}
)
end...✅ Secure code example
defmodule MyApp.CassandraConnection do
def connect do
Xandra.start_link(
nodes: ["127.0.0.1:9042"],
# Secure: credentials loaded from environment variables instead of hardcoded
authentication: {Xandra.Authenticator.Password, [
username: System.fetch_env!("CASSANDRA_USER"),
password: System.fetch_env!("CASSANDRA_PASSWORD")...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.