Java Hardcoded Redis Auth Password
Description
Detects hardcoded credentials used for Redis authentication when using the Jedis client library. This represents a security risk since hardcoded passwords in source code could be exposed through code repositories or decompilation, potentially leading to unauthorized database access.
Detection Strategy
• Identifies when the Jedis Redis client library (redis.clients.jedis) is imported in Java code
• Looks for calls to the 'auth' method on Jedis client instances
• Checks if the authentication password is hardcoded as a string literal in the method arguments
• Reports a vulnerability when credentials are passed as static/hardcoded values rather than configuration or environment variables
Vulnerable code example
import redis.clients.jedis.Jedis;
Jedis jedis = new Jedis();
jedis.auth("hardcoded_password"); // Vulnerable: Hardcoded credential in authentication
jedis.auth("admin", "secret123"); // Vulnerable: Both username and password hardcoded✅ Secure code example
import redis.clients.jedis.Jedis;
// Load credentials from environment variables or config
String password = System.getenv("REDIS_PASSWORD"); // Get password from environment variable
String username = System.getenv("REDIS_USERNAME"); // Get username from environment variable
Jedis jedis = new Jedis();
if (username != null) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.