Use of Hard-coded, Security-relevant Constants (CWE-547)

Use of Hard-coded, Security-relevant Constants

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews.

Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified.

Verbreitung

Fokussiert

2 Sprachen abgedeckt

Auswirkung

Mittel

Review empfohlen

Prävention

Dokumentiert

2 Fix-Beispiele

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Hardcoded Security Constants basierend auf 2 Shoulder-Erkennungsregeln.

🟨 JavaScript Alle anzeigen JavaScript Details →

Hardcoded Development URLs LOW

Use environment variables for URLs with localhost as a development fallback

+1 -1 javascript

- const API_URL = 'http://localhost:3000';
+ const API_URL = process.env.API_URL || 'http://localhost:3000';
  const response = await fetch(`${API_URL}/users`);

🐍 Python Alle anzeigen Python Details →

Hardcoded Development URLs LOW

Load URLs from environment variables with localhost as the development fallback

+4 -2 python

- API_URL = "http://localhost:3000/api"
- DB_HOST = "127.0.0.1"
+ import os
+ 
+ API_URL = os.getenv('API_URL', 'http://localhost:3000/api')
+ DB_HOST = os.getenv('DB_HOST', 'localhost')
  
  def fetch_data():
      response = requests.get(f'{API_URL}/data')
      return response.json()

Wichtige Praktiken

Use environment variables
configurable via environment variables

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Use of Hard-coded, Security-relevant Constants-Mustern zu scannen. 2 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=547

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (2)

🟨 Javascript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🔷 Typescript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🐍 Python 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs such as localhost or 127.0.0.1 in production code. This indicates: 1. Configuration management issues 2. Potential production deployment problems 3. Leftover development/test code 4. API endpoints pointing to local services Development URLs should be configurable via environment variables.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Use of Hard-coded, Security-relevant Constants-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🔵

Hardcoded development URL found: ... Development URLs like localhost should be configured via environment variables. javascript-hardcoded-dev-urls

🔵

hardcoded development URLs (localhost, 127 javascript-hardcoded-dev-urls

🔵

Development URL found at line ...: ... python-hardcoded-dev-urls

🔵

hardcoded development URLs such as localhost or 127 python-hardcoded-dev-urls

🔍

Scanne deine Codebasis nach Use of Hard-coded, Security-relevant Constants

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen