Add vulnerable-test.js with MD5 hashing example#3841
Conversation
This file demonstrates the use of MD5 for hashing and includes hardcoded credentials, which are flagged by CodeQL as vulnerabilities. Signed-off-by: Bot-GJ16 <mahmadishashaikh7@gmail.com>
There was a problem hiding this comment.
Code Review
This pull request introduces a new test file vulnerable-test.js that contains critical security vulnerabilities. Specifically, it uses the cryptographically broken MD5 algorithm for hashing and includes a hardcoded database password. The review comments correctly identify these security issues and provide actionable suggestions to use a secure hashing algorithm like scrypt and to load credentials from environment variables.
| @@ -0,0 +1,7 @@ | |||
| const crypto = require('crypto'); | |||
| // CodeQL flags MD5 as a weak/broken cryptographic algorithm | |||
| const hash = crypto.createHash('md5').update('secret').digest('hex'); | |||
There was a problem hiding this comment.
MD5 is a cryptographically broken hashing algorithm and should not be used for hashing passwords due to collision vulnerabilities. Use a strong, slow hashing algorithm like bcrypt or the built-in crypto.scrypt instead.
| const hash = crypto.createHash('md5').update('secret').digest('hex'); | |
| const hash = crypto.scryptSync('secret', 'salt', 64).toString('hex'); |
| console.log("Password hash:", hash); | ||
|
|
||
| // CodeQL flags hardcoded credentials | ||
| const dbPassword = "SuperSecretHardcodedPassword123!"; |
There was a problem hiding this comment.
Hardcoding credentials in source code exposes them to unauthorized access and version control history leaks. Use environment variables or a secrets manager to retrieve sensitive configuration values.
| const dbPassword = "SuperSecretHardcodedPassword123!"; | |
| const dbPassword = process.env.DB_PASSWORD; |
This file demonstrates the use of MD5 for hashing and includes hardcoded credentials, which are flagged by CodeQL as vulnerabilities.