Non-encrypted confidential information - Credentials - Dart

Non-encrypted confidential information - Credentials - Dart

Need

Secure storage of credentials

Context

  • Usage of Dart for building cross-platform mobile, web, and desktop applications
  • Usage of Shelf for managing and organizing data in a Node.js application

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  shelf.serve(handler, 'localhost', 8080);
}

shelf.Response _echoRequest(shelf.Request request) {
  var username = 'admin';
  var password = 'password123';

  return shelf.Response.ok('Request for "${request.url}"');
}

In the above code, the username and password are hardcoded into the source code of the application. The username is 'admin' and the password is 'password123'. This is a serious security vulnerability because anyone who has access to the source code can see these credentials in plain text.

The credentials are used in the _echoRequest function, which is a handler for HTTP requests. This function is part of a middleware pipeline that logs requests and handles them.

The server is started with the shelf.serve function, which binds the handler to the 'localhost' address on port 8080.

The problem here is that the credentials are not encrypted or hashed in any way, making them visible to anyone who can view the source code. This can lead to unauthorized access if the same credentials are used in a production environment.

Steps

  • Remove the hard-coded credentials from the source code.
  • Store the credentials in a secure and encrypted format in a separate configuration file or use a secure credentials management system.
  • Use environment variables to store sensitive information such as credentials.
  • Implement a secure authentication system that does not require storing credentials in the source code, such as OAuth or JWT.
  • Ensure that the credentials are encrypted during transmission and at rest.

Compliant code

        import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  shelf.serve(handler, 'localhost', 8080);
}

shelf.Response _echoRequest(shelf.Request request) {
  var username = Platform.environment['USERNAME'];
  var password = Platform.environment['PASSWORD'];

  return shelf.Response.ok('Request for "${request.url}"');
}

The updated code no longer contains hard-coded credentials. Instead, it retrieves the username and password from environment variables. This is a more secure practice as it prevents the credentials from being exposed in the source code.

To set the environment variables, you can use the following commands in the terminal before running the application:

                export USERNAME=admin
export PASSWORD=password123


Remember to replace 'admin' and 'password123' with your actual username and password.

This is just a basic fix. For a production application, you should consider using a secure credentials management system or a secure authentication system such as OAuth or JWT. Also, ensure that the credentials are encrypted during transmission and at rest.

References