Use of Hard-coded, Security-relevant Constants (CWE-547)

Use of Hard-coded, Security-relevant Constants

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews.

Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified.

व्यापकता

केंद्रित

2 भाषाएँ कवर की गईं

प्रभाव

मध्यम

समीक्षा अनुशंसित

रोकथाम

प्रलेखित

2 फिक्स उदाहरण

2 रोकथाम

इस भेद्यता को कैसे ठीक करें

2 Shoulder डिटेक्शन नियमों पर आधारित Hardcoded Security Constants के लिए रोकथाम रणनीतियाँ।

🟨 JavaScript सब देखें JavaScript विवरण →

Hardcoded Development URLs LOW

Use environment variables for URLs with localhost as a development fallback

+1 -1 javascript

- const API_URL = 'http://localhost:3000';
+ const API_URL = process.env.API_URL || 'http://localhost:3000';
  const response = await fetch(`${API_URL}/users`);

🐍 Python सब देखें Python विवरण →

Hardcoded Development URLs LOW

Load URLs from environment variables with localhost as the development fallback

+4 -2 python

- API_URL = "http://localhost:3000/api"
- DB_HOST = "127.0.0.1"
+ import os
+ 
+ API_URL = os.getenv('API_URL', 'http://localhost:3000/api')
+ DB_HOST = os.getenv('DB_HOST', 'localhost')
  
  def fetch_data():
      response = requests.get(f'{API_URL}/data')
      return response.json()

मुख्य अभ्यास

Use environment variables
configurable via environment variables

3 पहचान

अपने कोड में भेद्यताएँ खोजें

Use of Hard-coded, Security-relevant Constants पैटर्न के लिए अपने कोडबेस को स्कैन करने के लिए Shoulder का उपयोग करें। 2 नियम.

टर्मिनल

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=547

# Or scan entire project
npx @shoulderdev/cli trust .

पहचान नियम (2)

🟨 Javascript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🔷 Typescript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🐍 Python 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs such as localhost or 127.0.0.1 in production code. This indicates: 1. Configuration management issues 2. Potential production deployment problems 3. Leftover development/test code 4. API endpoints pointing to local services Development URLs should be configurable via environment variables.

4 चेतावनी संकेत

कोड समीक्षा में किन बातों पर ध्यान दें

ये पैटर्न संभावित Use of Hard-coded, Security-relevant Constants भेद्यताओं का संकेत देते हैं। कोड समीक्षा और सुरक्षा ऑडिट के दौरान इन्हें देखें।

🔵

Hardcoded development URL found: ... Development URLs like localhost should be configured via environment variables. javascript-hardcoded-dev-urls

🔵

hardcoded development URLs (localhost, 127 javascript-hardcoded-dev-urls

🔵

Development URL found at line ...: ... python-hardcoded-dev-urls

🔵

hardcoded development URLs such as localhost or 127 python-hardcoded-dev-urls

🔍

अपने कोडबेस को इसके लिए स्कैन करें: Use of Hard-coded, Security-relevant Constants

Shoulder CLI आपके पूरे कोडबेस में भेद्य पैटर्न खोजता है।

npx shoulder trust सभी नियम देखें