...
| Code Block | ||
|---|---|---|
| ||
class Password {
public static void main(String[] args) throws IOException {
char[] password = new char[100];
BufferedReader br = new BufferedReader(new InputStreamReader(
new FileInputStream("password.txt")));
// reads the password into the char array, returns the number of bytes read
int n = br.read(password);
// decrypt password, perform operations
for(int i= n - 1;i >= 0;i--) // manually clear out the password immediately after use
password[i] = 0;
br.close();
}
}
|
Noncompliant Code Example
This noncompliant code example hard codes the user name and password fields.
| Code Block | ||
|---|---|---|
| ||
public final Connection getConnection() throws SQLException {
return DriverManager.getConnection("jdbc:mysql://localhost/dbName", "username", "password");
}
|
Note that the one and two argument java.sql.DriverManager.getConnection() methods may also be used incorrectly.
Compliant Solution
This compliant solution reads the user name and password from a configuration file present in a secure directory.
| Code Block | ||
|---|---|---|
| ||
// username and password are read at runtime from a secure config file
public final Connection getConnection() throws SQLException {
return DriverManager.getConnection("jdbc:mysql://localhost/dbName", username, password);
}
|
It is also permissible to prompt the user for the user name and password at runtime and use the entered values.
Risk Assessment
Hardcoding sensitive information allows a malicious user to glean the information.
...