Sensitive information in source code - Dependencies
Need
Protection of sensitive information in source code and dependencies
Context
- Requirement of PHP 5.6 or later for running the application
- Usage of PHP for server-side scripting and web development
Description
Non compliant code
<?php
return [
/*
|--------------------------------------------------------------------------
| Private Key
|--------------------------------------------------------------------------
|
| Here you may specify the private key that should be used by your
| application. This key is used to sign and verify tokens which are
| used for authentication. You should store this key in a secure place.
|
*/
'private_key' => 'your-private-key-here',
];
In the above PHP code, we are storing the private key directly in the application's configuration file. This is a critical security vulnerability as anyone who gains access to the source code will also have access to this private key. The private key is used for signing and verifying tokens for authentication purposes. If an attacker gains access to this key, they could potentially forge tokens and gain unauthorized access to the application.
Specifically, this code is part of a Laravel backend application. Laravel is a popular PHP framework that follows the MVC (Model-View-Controller) pattern. In this case, the private key should not be stored in the codebase or any other place easily accessible. Instead, it should be stored in a secure and protected environment, such as environment variables or a secure key management system.
This vulnerability is a classic example of "Sensitive information in source code" and can lead to serious security breaches if not fixed promptly.
Steps
- Remove the private key from the source code.
- Store the private key in a secure and protected environment, such as environment variables or a secure key management system.
- Modify the application to retrieve the private key from the secure location instead of the source code.
- Ensure the private key is not logged or output in any error messages or logs.
- Rotate the private key since it has been exposed in the source code.
Compliant code
<?php
return [
/*
|--------------------------------------------------------------------------
| Private Key
|--------------------------------------------------------------------------
|
| Here you may specify the private key that should be used by your
| application. This key is used to sign and verify tokens which are
| used for authentication. You should store this key in a secure place.
|
*/
'private_key' => env('PRIVATE_KEY'),
];
The private key has been removed from the source code and is now being retrieved from the environment variables. This is done using Laravel's env() helper function, which retrieves the value of an environment variable.
The environment variable PRIVATE_KEY should be set in your .env file, which is not committed to the source code repository. This file should be properly secured and access to it should be restricted.
PRIVATE_KEY=your-private-key-here
This change ensures that the private key is stored in a secure and protected environment, and not in the source code. It also ensures that the private key is not logged or output in any error messages or logs.
Since the private key was previously exposed in the source code, it should be rotated to a new value. This new value should be set in the PRIVATE_KEY environment variable in the .env file.
Remember to never commit your .env file to the source code repository. It should be added to your .gitignore file to prevent it from being committed.