CodeQL documentation
CodeQL resources

Clear text storage of sensitive information

ID: js/clear-text-storage-of-sensitive-data Kind: path-problem Security severity: 7.5 Severity: error Precision: high Tags: - security - external/cwe/cwe-312 - external/cwe/cwe-315 - external/cwe/cwe-359 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Sensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.

Recommendation

Ensure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.

In general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.

Be aware that external processes often store the standardout and standarderror streams of the application, causing logged sensitive information to be stored as well.

Example

The following example code stores user credentials (in this case, their password) in a cookie in plain text:

varexpress=require('express');varapp=express();app.get('/remember-password',function(req,res){letpw=req.param("current_password");// BAD: Setting a cookie value with cleartext sensitive data.res.cookie("password",pw);});

Instead, the credentials should be encrypted, for instance by using the Node.js crypto module:

varexpress=require('express');varcrypto=require('crypto'),password=getPassword();functionencrypt(text){varcipher=crypto.createCipher('aes-256-ctr',password);returncipher.update(text,'utf8','hex')+cipher.final('hex');}varapp=express();app.get('/remember-password',function(req,res){letpw=req.param("current_password");// GOOD: Encoding the value before setting it.res.cookie("password",encrypt(pw));});

References

  • M. Dowd, J. McDonald and J. Schuhm, The Art of Software Security Assessment, 1st Edition, Chapter 2 - ‘Common Vulnerabilities of Encryption’, p. 43. Addison Wesley, 2006.

  • M. Howard and D. LeBlanc, Writing Secure Code, 2nd Edition, Chapter 9 - ‘Protecting Secret Data’, p. 299. Microsoft, 2002.

  • Common Weakness Enumeration: CWE-312.

  • Common Weakness Enumeration: CWE-315.

  • Common Weakness Enumeration: CWE-359.

close