Typescript Hardcoded Password In Connection

Description

Detects hardcoded passwords in database connection strings or configuration objects for MySQL, MSSQL and PostgreSQL in TypeScript code. This represents a security risk as credentials embedded in source code could be exposed through version control systems or code access.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Check for database connection creation using MySQL createConnection(), MSSQL createConnection() or PostgreSQL Client() functions

• Examine the connection configuration object passed as first argument to these functions

• Flag any connection configurations where the password field contains a hardcoded string literal instead of an environment variable or configuration value

• Report vulnerability if password is directly embedded in the connection configuration

Vulnerable code example

const mysql = require("mysql");

// Database connection with hardcoded credentials - security risk
const connection = mysql.createConnection({
  host: "example.org",
  user: "admin",
  password: "secret123"  // Vulnerable: Hardcoded credential should never be in source code
});

✅ Secure code example

const mysql = require("mysql");

// Database connection using environment variables - secure practice
const connection = mysql.createConnection({
  host: process.env.DB_HOST,
  user: process.env.DB_USER,
  password: process.env.DB_PASSWORD  // Secure: credentials loaded from environment variables
});

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.