-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create rule S6781: JWT secret keys should not be disclosed #3838
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Text LGTM
Some tweak suggestions to the code to improve the diff view
[Route("login-config")] | ||
public class LoginConfigController : ControllerBase |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Route("login-config")] | |
public class LoginConfigController : ControllerBase | |
[Route("login-example")] | |
public class LoginExampleController : ControllerBase |
public class LoginConfigController : ControllerBase | ||
{ | ||
private readonly IConfiguration _config; | ||
public LoginConfigController(IConfiguration config) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public LoginConfigController(IConfiguration config) | |
public LoginExampleController(IConfiguration config) |
expires: DateTime.Now.AddMinutes(120), | ||
signingCredentials: credentials); | ||
|
||
return Ok(new JwtSecurityTokenHandler().WriteToken(Sectoken)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return Ok(new JwtSecurityTokenHandler().WriteToken(Sectoken)); | |
var token = new JwtSecurityTokenHandler().WriteToken(Sectoken); | |
return Ok(token); |
|
||
// Code to validate user omitted | ||
|
||
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)); // Noncompliant (key in appsettings.json) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)); // Noncompliant (key in appsettings.json) | |
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)); // Noncompliant |
No need to explain it twice 👍 It also increases the size of the code and unnecessarily forces to scroll right to read
{ | ||
// Code to validate user omitted | ||
|
||
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)); // Noncompliant: hard-coded key in code |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)); // Noncompliant: hard-coded key in code | |
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)); // Noncompliant |
This increases the size of the code and unnecessarily forces to scroll right to read
var token = new JwtSecurityTokenHandler().WriteToken(Sectoken); | ||
|
||
return Ok(token); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var token = new JwtSecurityTokenHandler().WriteToken(Sectoken); | |
return Ok(token); | |
var token = new JwtSecurityTokenHandler().WriteToken(Sectoken); | |
return Ok(token); |
|
||
=== Code examples | ||
|
||
The following noncompliant code contains a hard-coded secret that can be exposed unintentionally. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following noncompliant code contains a hard-coded secret that can be exposed unintentionally. | |
The following noncompliant code uses a secret from the `_config` variable, which means a secret is hardcoded in `appsettings.json` and can be unintentionally exposed along with the code. |
I suggest adding the appsettings comment here:
[Route("login-env")] | ||
public class LoginEnvController : ControllerBase |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Route("login-env")] | |
public class LoginEnvController : ControllerBase | |
[Route("login-example")] | |
public class LoginExampleController : ControllerBase |
public class LoginEnvController : ControllerBase | ||
{ | ||
private readonly IConfiguration _config; | ||
public LoginEnvController(IConfiguration config) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public LoginEnvController(IConfiguration config) | |
public LoginExampleController(IConfiguration config) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Text LGTM, code logic LGTM, it's just the diff appearance that should be fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
last review, some mistakes from me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Quality Gate passed for 'rspec-frontend'Issues Measures |
Quality Gate passed for 'rspec-tools'Issues Measures |
You can preview this rule here (updated a few minutes after each push).
Review
A dedicated reviewer checked the rule description successfully for: