Sensitive information in source code - Dependencies
Need
Secure storage of sensitive information in separate protected environments
Context
- Usage of Dart 2.0 for building scalable and efficient web applications
- Usage of Shelf for managing and organizing data in Node.js applications
Description
Non compliant code
import 'package:shelf/shelf.dart' as shelf;
void main() {
var app = shelf.Pipeline().addMiddleware(shelf.logRequests()).addHandler(_echoRequest);
shelf.serve(app, 'localhost', 8080).then((server) {
print('Serving at http://${server.address.host}:${server.port}');
});
}
shelf.Response _echoRequest(shelf.Request request) {
return shelf.Response.ok('Request for "${request.url}"');
}
const String PRIVATE_KEY = '5d6321f42795c';
The above code represents a basic server setup using the shelf framework in Dart. The problem lies in the declaration and usage of the PRIVATE_KEY constant. This constant is storing sensitive information, in this case a private key, directly in the source code.
This is a serious security vulnerability because anyone who has access to the source code will also have access to this private key. This can lead to unauthorized access, data breaches and other security issues.
In addition, storing sensitive information in the source code makes it difficult to manage and rotate keys. If you need to change the private key, you will need to change the source code and redeploy the application.
The secure way to handle sensitive information like private keys, API keys, passwords etc. is to store them in a secure and encrypted environment variables or in a secure key management system. This way, the sensitive information is not exposed in the source code and can be managed separately from the application code.
Steps
- Remove the private key from the source code.
- Store the private key in a secure and encrypted storage.
- Use environment variables to access the private key in your application.
- Ensure that the environment where you store the key is secure and access is restricted.
- Rotate your keys regularly to minimize the impact if they are compromised.
- Never expose your private key in logs, error messages, or other outward-facing information.
Compliant code
import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;
void main() {
var app = shelf.Pipeline().addMiddleware(shelf.logRequests()).addHandler(_echoRequest);
shelf.serve(app, 'localhost', 8080).then((server) {
print('Serving at http://${server.address.host}:${server.port}');
});
}
shelf.Response _echoRequest(shelf.Request request) {
return shelf.Response.ok('Request for "${request.url}"');
}
final String PRIVATE_KEY = Platform.environment['PRIVATE_KEY'];
The private key was removed from the source code and stored in an environment variable. This is a more secure way to handle sensitive information, as it is not directly embedded in the code, which could be exposed if the source code is compromised.
The Platform.environment is a built-in Dart function that allows you to access environment variables. In this case, it is used to access the 'PRIVATE_KEY' environment variable.
To set the environment variable, you can use the following command in the terminal before running your Dart program:
export PRIVATE_KEY=your_private_key
Remember to replace your_private_key with your actual private key.
This environment variable is only set for the current session. To make it permanent, you can add the export command to your shell's profile script.
Also, ensure that the environment where you store the key is secure and access is restricted. Rotate your keys regularly to minimize the impact if they are compromised. Never expose your private key in logs, error messages, or other outward-facing information.