Use of Hard-coded, Security-relevant Constants (CWE-547)

Use of Hard-coded, Security-relevant Constants

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews.

Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified.

Prévalence

Ciblé

2 langages couverts

Impact

Moyen

Revue recommandée

Prévention

Documentée

2 exemples de correctifs

2 Prévention

Comment corriger cette vulnérabilité

Stratégies de prévention pour Hardcoded Security Constants basées sur 2 règles de détection Shoulder.

🟨 JavaScript Tout voir JavaScript détails →

Hardcoded Development URLs LOW

Use environment variables for URLs with localhost as a development fallback

+1 -1 javascript

- const API_URL = 'http://localhost:3000';
+ const API_URL = process.env.API_URL || 'http://localhost:3000';
  const response = await fetch(`${API_URL}/users`);

🐍 Python Tout voir Python détails →

Hardcoded Development URLs LOW

Load URLs from environment variables with localhost as the development fallback

+4 -2 python

- API_URL = "http://localhost:3000/api"
- DB_HOST = "127.0.0.1"
+ import os
+ 
+ API_URL = os.getenv('API_URL', 'http://localhost:3000/api')
+ DB_HOST = os.getenv('DB_HOST', 'localhost')
  
  def fetch_data():
      response = requests.get(f'{API_URL}/data')
      return response.json()

Pratiques clés

Use environment variables
configurable via environment variables

3 Détection

Trouvez les vulnérabilités dans votre code

Utilisez Shoulder pour scanner votre code à la recherche de patterns Use of Hard-coded, Security-relevant Constants. 2 règles.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=547

# Or scan entire project
npx @shoulderdev/cli trust .

Règles de Détection (2)

🟨 Javascript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🔷 Typescript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🐍 Python 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs such as localhost or 127.0.0.1 in production code. This indicates: 1. Configuration management issues 2. Potential production deployment problems 3. Leftover development/test code 4. API endpoints pointing to local services Development URLs should be configurable via environment variables.

4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Use of Hard-coded, Security-relevant Constants. Recherchez-les lors des revues de code et des audits de sécurité.

🔵

Hardcoded development URL found: ... Development URLs like localhost should be configured via environment variables. javascript-hardcoded-dev-urls

🔵

hardcoded development URLs (localhost, 127 javascript-hardcoded-dev-urls

🔵

Development URL found at line ...: ... python-hardcoded-dev-urls

🔵

hardcoded development URLs such as localhost or 127 python-hardcoded-dev-urls

🔍

Scannez votre base de code pour Use of Hard-coded, Security-relevant Constants

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.

npx shoulder trust Parcourir toutes les règles