Python Hardcoded Db Credentials In Settings
Description
Detects hardcoded database credentials in Django settings.py files. These credentials expose sensitive authentication information in source code, which is a security risk if the code is exposed or compromised. Credentials should be stored securely in environment variables or secure configuration management systems.
Detection Strategy
• Scan files named 'settings.py' in Django projects
• Look for database configuration variables containing hardcoded credential strings or arrays
• Check database configuration objects for hardcoded username, password or connection string values
• Report a vulnerability if any database credentials are found directly written in the settings file
Vulnerable code example
# type: ignore
# settings.py
import os
# --------- VULNERABLE PART WITH HARDCODED VARIABLES ----------
# Reference: https://docs.djangoproject.com/en/5.1/ref/settings/#databases...✅ Secure code example
# type: ignore
# settings.py
import os
# --------- SECURE PART USING ENVIRONMENT VARIABLES ----------
DATABASES = { # -> Safe...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.