-1
public DataSource dsDatasource(Environment env) throws Exception {
    HikariDataSource dataSource = new HikariDataSource();
    dataSource.setUsername(username);
    String password = env.getProperty(convertToHashicorpLabel());
    dataSource.setPassword(password != null ? password : dbPassword);
    if (dataSource.getPassword() == null) {
        throw new Exception("Datasource password is null");
    }
    dataSource.setJdbcUrl(url);
    dataSource.setDriverClassName(driverClassName);
    dataSource.setMaximumPoolSize(maxPoolSize);
    dataSource.setMinimumIdle(minPoolSize);
    dataSource.setPoolName(poolName);
    return dataSource;
}

private String convertToHashicorpLabel() {
    return username + "_label";
}

}

Above is java method, when i run the checkmarx report it is showing a heap inspection vulnerability at this line String password = env.getProperty(convertToHashicorpLabel());. Can some please help in fixing that.

trincot
  • 317,000
  • 35
  • 244
  • 286
sunket6006
  • 1
  • Do you have *any* idea what that means? In what context is the application supposed to be run? Depending on `DataSource` and how it stores the password it is irrelevant wether or not you "fix" this anyway. – luk2302 Jul 06 '21 at 13:50
  • That's just the keyword "password" use as variable name that throw vulnerability, just rename it. – Mr_Thorynque Jul 06 '21 at 13:50
  • @Mr_Thorynque but that does not fix anything it just basically ignores the warning. – luk2302 Jul 06 '21 at 13:52
  • See e.g. [Why is char\[\] preferred over String for passwords?](https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords) – luk2302 Jul 06 '21 at 13:53
  • @luk2302 yes and not, that's a reality that a password will be used in a variable, but you can hide that to reduce risk, like using char[] – Mr_Thorynque Jul 06 '21 at 14:00
  • Where are you getting this error from? In IDE or you are using static code analysis tool? –  Jul 06 '21 at 14:43
  • @vish when running `checkmarx`. – luk2302 Jul 06 '21 at 14:47
  • @sunket6006 You have complete report for that particular bug by `checkmarx`? Not the whole report just that one bug reported. Usually these softwares give _reason_ why they think that is the case. –  Jul 06 '21 at 14:51

1 Answers1

1

The risk here is that String is immutable and the sensitive information (in this case the password) may remain in memory potentially that can be retrieved by an attacker with access to the host.

Use safer types such as SealedObject in conjunction with char[] as @luk2302 pointed out

char[] password;
Key key = KeyGenerator.getInstance("AES").generateKey();
Cipher c =  Cipher.getInstance("AES/CBC/PKCS7Padding");
c.init(Cipher.ENCRYPT_MODE, key);
List<Character> characterList = Arrays.asList(password);
SealedObject soPassword = new SealedObject((Serializable) characterList, c);
Arrays.fill(password, '\0');
securecodeninja
  • 2,497
  • 3
  • 16
  • 22