Sensitive information in source code - Credentials - PHP

Sensitive information in source code - Credentials - PHP

Need

Secure storage and management of sensitive information in source code

Context

  • Usage of PHP 7.0 for server-side scripting and web development
  • Usage of Illuminate\\Http\\Request for handling HTTP requests in Laravel
  • Usage of Illuminate\\Routing\\Controller for handling routes and requests in Laravel

Description

Non compliant code

The above code is an example of a Controller in a Laravel application that stores sensitive information directly in the source code. This is a serious vulnerability as it exposes sensitive data such as usernames, passwords, emails, and API keys.

The variables $username, $password, $email, and $apiKey are all hardcoded into the source code. This means that anyone who has access to the source code can see these values. If this code were to end up in a public repository, for example, these values could be seen by anyone.

This vulnerability can be exploited by attackers to gain unauthorized access to the system or to perform actions on behalf of the user. For example, with the username and password, an attacker could log in to the system as the user. With the API key, an attacker could make API calls on behalf of the user.

This vulnerability can be mitigated by not storing sensitive information in the source code. Instead, use environment variables or a secure configuration management system to store these values.

Steps

  • Remove the hard-coded credentials from the source code.
  • Store sensitive information in environment variables or in a secure configuration file that is not included in the version control system.
  • Use a secure method to access these variables or configuration files in your code.
  • Consider using a secrets management tool or service for storing sensitive information.
  • Ensure that the configuration file or environment variables are properly secured and not accessible by unauthorized users or processes.
  • Rotate your credentials regularly and whenever they are believed to be compromised.

Compliant code

        username = env('ADMIN_USERNAME');
        $this->password = env('ADMIN_PASSWORD');
        $this->email = env('ADMIN_EMAIL');
        $this->apiKey = env('API_KEY');
    }

    public function index()
    {
        // Some code here...
    }
}

The original code had sensitive information such as username, password, email, and API key hard-coded into the source code. This is a major security vulnerability as anyone with access to the source code would have access to these sensitive credentials.

The updated code removes these hard-coded credentials and instead retrieves them from environment variables using Laravel's env() helper function. These environment variables should be defined in a .env file at the root of your Laravel project. This file should not be included in your version control system to prevent the credentials from being exposed.

Here is an example of what your .env file might look like:

ADMIN_USERNAME=admin ADMIN_PASSWORD=password123 ADMIN_EMAIL=admin@example.com API_KEY=1234567890abcdef

By storing sensitive information in environment variables, we can keep the credentials secure and out of the version control system. This also makes it easy to change the credentials without having to modify the source code.

Remember to secure your .env file properly and restrict access to it. Also, consider rotating your credentials regularly and whenever they are believed to be compromised.

References