Use of Hard-coded, Security-relevant Constants (CWE-547)

Use of Hard-coded, Security-relevant Constants

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security reviews.

Hard-coded values make code harder to understand and maintain. When security-relevant values are hard-coded, it increases the risk of errors when the code needs to be modified.

普遍性

聚焦

覆盖 2 种语言

影响

中

建议审查

预防

已记录

2 个修复示例

2 预防

如何修复此漏洞

基于 2 条 Shoulder 检测规则的 Hardcoded Security Constants 预防策略。

🟨 JavaScript 查看全部 JavaScript 详情 →

Hardcoded Development URLs LOW

Use environment variables for URLs with localhost as a development fallback

+1 -1 javascript

- const API_URL = 'http://localhost:3000';
+ const API_URL = process.env.API_URL || 'http://localhost:3000';
  const response = await fetch(`${API_URL}/users`);

🐍 Python 查看全部 Python 详情 →

Hardcoded Development URLs LOW

Load URLs from environment variables with localhost as the development fallback

+4 -2 python

- API_URL = "http://localhost:3000/api"
- DB_HOST = "127.0.0.1"
+ import os
+ 
+ API_URL = os.getenv('API_URL', 'http://localhost:3000/api')
+ DB_HOST = os.getenv('DB_HOST', 'localhost')
  
  def fetch_data():
      response = requests.get(f'{API_URL}/data')
      return response.json()

关键实践

Use environment variables
configurable via environment variables

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Use of Hard-coded, Security-relevant Constants模式。 2 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=547

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (2)

🟨 Javascript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🔷 Typescript 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs (localhost, 127.0.0.1) in production code that should use environment variables.

🐍 Python 1 rules

Hardcoded Development URLs LOW

Detects hardcoded development URLs such as localhost or 127.0.0.1 in production code. This indicates: 1. Configuration management issues 2. Potential production deployment problems 3. Leftover development/test code 4. API endpoints pointing to local services Development URLs should be configurable via environment variables.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Use of Hard-coded, Security-relevant Constants漏洞。在代码审查和安全审计中注意查找。

🔵

Hardcoded development URL found: ... Development URLs like localhost should be configured via environment variables. javascript-hardcoded-dev-urls

🔵

hardcoded development URLs (localhost, 127 javascript-hardcoded-dev-urls

🔵

Development URL found at line ...: ... python-hardcoded-dev-urls

🔵

hardcoded development URLs such as localhost or 127 python-hardcoded-dev-urls

🔍

扫描你的代码库: Use of Hard-coded, Security-relevant Constants

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则