puppet-wildfly icon indicating copy to clipboard operation
puppet-wildfly copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Use of hard-coded passwords is a bad practice

Open akondasif opened this issue 6 years ago • 2 comments

I am a security researcher, who is looking for security smells in Puppet scripts. I noticed two instances of hard-coded passwords, which are against the best practices recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners. I have added hiera support to mitigate this smell. Feedback is welcome.

Here is where I noticed hard-coded passwords: https://github.com/biemond/biemond-wildfly/blob/v0.5.x/manifests/params.pp

akondasif avatar Jul 14 '18 16:07 akondasif

Coverage Status

Coverage increased (+3.0%) to 23.447% when pulling 5c4dba0dc7ce9864164779ec0c1f27f94012bcae on akondasif:v0.5.x into 8d1593ace751d248ec55335fcfc8bb6c8a8ba1bf on biemond:v0.5.x.

coveralls avatar Jul 14 '18 16:07 coveralls

Thank you, but calling hiera functions is a Puppet bad practice: "https://puppet.com/docs/puppet/5.5/style_guide.html

"You should avoid using calls to Hiera functions in modules meant for public consumption, because not all users have implemented Hiera. Instead, we recommend using parameters that can be overridden with Hiera."

I guess the proper way to address both your point and Hiera best practice would be to force users to define this parameter.

jairojunior avatar Aug 15 '18 14:08 jairojunior