Use of Hard-coded, Security-relevant Constants (CWE-547)

Use of Hard-coded, Security-relevant Constants

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews.

Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified.

Prevalência

Focado

2 linguagens cobertas

Impacto

Médio

Revisão recomendada

Prevenção

Documentada

2 exemplos de correção

2 Prevenção

Como corrigir esta vulnerabilidade

Estratégias de prevenção para Hardcoded Security Constants baseadas em 2 regras de detecção do Shoulder.

🟨 JavaScript Ver tudo JavaScript detalhes →

Hardcoded Development URLs LOW

Use environment variables for URLs with localhost as a development fallback

+1 -1 javascript

- const API_URL = 'http://localhost:3000';
+ const API_URL = process.env.API_URL || 'http://localhost:3000';
  const response = await fetch(`${API_URL}/users`);

🐍 Python Ver tudo Python detalhes →

Hardcoded Development URLs LOW

Load URLs from environment variables with localhost as the development fallback

+4 -2 python

- API_URL = "http://localhost:3000/api"
- DB_HOST = "127.0.0.1"
+ import os
+ 
+ API_URL = os.getenv('API_URL', 'http://localhost:3000/api')
+ DB_HOST = os.getenv('DB_HOST', 'localhost')
  
  def fetch_data():
      response = requests.get(f'{API_URL}/data')
      return response.json()

Práticas-chave

Use environment variables
configurable via environment variables

3 Detecção

Encontre vulnerabilidades no seu código

Use o Shoulder para escanear seu código em busca de padrões Use of Hard-coded, Security-relevant Constants. 2 regras.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=547

# Or scan entire project
npx @shoulderdev/cli trust .

Regras de Detecção (2)

🟨 Javascript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🔷 Typescript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🐍 Python 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs such as localhost or 127.0.0.1 in production code. This indicates: 1. Configuration management issues 2. Potential production deployment problems 3. Leftover development/test code 4. API endpoints pointing to local services Development URLs should be configurable via environment variables.

4 Sinais de Alerta

O que observar nas revisões de código

Estes padrões indicam vulnerabilidades potenciais de Use of Hard-coded, Security-relevant Constants. Procure-os durante revisões de código e auditorias de segurança.

🔵

Hardcoded development URL found: ... Development URLs like localhost should be configured via environment variables. javascript-hardcoded-dev-urls

🔵

hardcoded development URLs (localhost, 127 javascript-hardcoded-dev-urls

🔵

Development URL found at line ...: ... python-hardcoded-dev-urls

🔵

hardcoded development URLs such as localhost or 127 python-hardcoded-dev-urls

🔍

Escaneie seu código para Use of Hard-coded, Security-relevant Constants

O Shoulder CLI encontra padrões vulneráveis em todo o seu código.

npx shoulder trust Ver todas as regras