Json Git Url With Credentials
Description
Detects Git repository URLs containing hardcoded credentials (username/password) in package.json dependency declarations. This presents a security risk as credentials stored in source code can be exposed to unauthorized users and potentially lead to unauthorized repository access.
Detection Strategy
• Inspect package.json file for dependency declarations (dependencies, devDependencies, etc.)
• Check if dependency values are objects containing Git repository URLs
• Search for URLs containing authentication credentials in the format 'https://username:password@domain'
• Flag any dependency entries where credentials are embedded in the Git repository URL
Vulnerable code example
{
"name": "vulnerable-project",
"dependencies": {
"private-repo": "git+https://username:password123@github.com/org/repo.git#main" // Vulnerable: Exposes credentials in URL
},
"devDependencies": {
"internal-lib": "git+ssh://git:secretToken789@gitlab.com/team/lib.git#v1.0.0" // Vulnerable: Contains hardcoded authentication token
}...✅ Secure code example
{
"name": "vulnerable-project",
"dependencies": {
"private-repo": "git+https://github.com/org/repo.git#main" // Safe: Use environment variables or credentials manager instead of hardcoded auth
},
"devDependencies": {
"internal-lib": "git+ssh://git@gitlab.com/team/lib.git#v1.0.0" // Safe: Using SSH key-based authentication without exposing tokens
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.