| Título | Go-Tribe gotribe None Hard-coded Credentials |
|---|
| Descrição | pkg/token/token.go
```Go
var (
config = Config{"Rtg8BPKNEf2mB4mgvKONGPZZQSaJWNLijxR42qRgq0iBb5", "identityKey"}
once sync.Once
)
...........
...........
// Sign 使用 jwtSecret 签发 token,token 的 claims 中会存放传入的 subject.
func Sign(identityKey string) (tokenString string, err error) {
// Token 的内容
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
config.identityKey: identityKey,
"nbf": time.Now().Unix(),
"iat": time.Now().Unix(),
"exp": time.Now().Add(100000 * time.Hour).Unix(),
})
// 签发 token
tokenString, err = token.SignedString([]byte(config.key))
return
}
```
In line 94 of the file 'pkg/token/token.go', hard-coded credentials (config.key) are used. This means that the key is written directly in the code or is provided to the program in some other way (such as a configuration file or environment variable). Hard-coded credentials are a very serious security risk because anyone who has access to the code or configuration can get hold of this key, potentially leading to unauthorized access or action. In addition, if the codebase is compromised or obtained by an attacker, hard-coded keys can also be used to forge legitimate tokens or other sensitive operations. |
|---|
| Fonte | ⚠️ https://github.com/Go-Tribe/gotribe/issues/1 |
|---|
| Utilizador | zihe (UID 56943) |
|---|
| Submissão | 22/08/2024 10h59 (há 2 anos) |
|---|
| Moderação | 23/08/2024 20h34 (1 day later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 275706 [Go-Tribe gotribe até cd3ccd32cd77852c9ea73f986eaf8c301cfb6310 pkg/token/token.go Sign config.key Autenticação fraca] |
|---|
| Pontos | 20 |
|---|