...
| Code Block | ||
|---|---|---|
| ||
public final Connection getConnection() throws SQLException {
char[]String username = new char[16];
char[]String password = new char[16];
// Username and password are read at runtime from a secure config file
Connection connection =return DriverManager.getConnection(
"jdbc:mysql://localhost/dbName",
username.toString(), password.toString());
for (int i = username.length - 1; i >= 0; i--) {
username[i] = 0;
}
for (int i = password.length - 1; i >= 0; i--) {
password[i] = 0;
}
return connection;
}
|
It is also permissible to prompt the user for the user name and password at runtime.
When possible, sensitive information such as passwords should be stored in character arrays rather than strings, because the JVM may retain strings long after they are no longer needed. However, this example uses strings because DriverManager.getConnection() requires them.
Risk Assessment
Hard coding sensitive information exposes that information to attackers.
...
MSC18-C. Be careful while handling sensitive data, such as passwords, in program code | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="785cdec51b2f7763-95c33d54-4f0e401d-a544b6a7-bfd09ec7e9ee7a2d1a460bf5"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Hard-coded Password [XYP] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-259. Use of hard-coded password | ||||
| CWE-798. Use of hard-coded credentials |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="921aa49eff8a60cd-d312ad60-416f4929-964ba245-acba21f2c6055d1c61d61cec"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. References#Chess 07]] | 11.2, Outbound Passwords: Keep Passwords out of Source Code | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3e51470780a8549a-4b52514d-4b004ab7-bfde91b4-f41bd2c579892987bb9e6101"><ac:plain-text-body><![CDATA[ | [[Fortify 2008 | AA. References#Fortify 08]] | Unsafe Mobile Code: Database Access | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4597873d0c8c0967-65f82384-45f948b0-8511ae81-68f3d9cb112f7c7c85db0975"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. References#Gong 03]] | 9.4, Private Object State and Object Immutability | ]]></ac:plain-text-body></ac:structured-macro> |
...