| tiêu đề | demozx gf_cms None Hard-coded Credentials |
|---|
| Mô tả | func init() {
service.RegisterAuth(New())
auth := jwt.New(&jwt.GfJWTMiddleware{
Realm: "test zone",
Key: []byte("secret key"),
Timeout: time.Minute * 5,
MaxRefresh: time.Minute * 5,
IdentityKey: "id",
TokenLookup: "header: Authorization, query: token, cookie: jwt",
TokenHeadName: "Bearer",
TimeFunc: time.Now,
Authenticator: Auth().Authenticator,
Unauthorized: Auth().Unauthorized,
PayloadFunc: Auth().PayloadFunc,
IdentityHandler: Auth().IdentityHandler,
})
authService = auth
}
In file ` internal/logic/auth/auth. Go ` line 37, there is a hard coded Key (Key) value, namely the "secret Key". Hard-coded credentials (such as keys, passwords, API keys, etc.) are one of the common mistakes of security development. If an attacker has access to these hard-coded credentials, they may be able to exploit them
Data to access a system or service. Hard-coded credentials often lead to security risks because they make it easier for attackers to obtain sensitive information and potentially use it to perform malicious activities. |
|---|
| Nguồn | ⚠️ https://github.com/demozx/gf_cms/issues/5 |
|---|
| Người dùng | zihe (UID 56943) |
|---|
| Đệ trình | 19/08/2024 14:40 (cách đây 2 những năm) |
|---|
| Kiểm duyệt | 20/08/2024 10:16 (20 hours later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 275199 [demozx gf_cms 1.0/1.0.1 JWT Authentication auth.go init xác thực yếu] |
|---|
| điểm | 20 |
|---|