Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions vulnerable-test.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
const crypto = require('crypto');
// CodeQL flags MD5 as a weak/broken cryptographic algorithm
const hash = crypto.createHash('md5').update('secret').digest('hex');

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

MD5 is a weak and broken cryptographic hash algorithm that is vulnerable to collision attacks. It should not be used for hashing sensitive data like passwords. Use a secure hashing algorithm such as SHA-256 or a dedicated password hashing function like bcrypt or argon2.

Suggested change
const hash = crypto.createHash('md5').update('secret').digest('hex');
const hash = crypto.createHash('sha256').update('secret').digest('hex');

console.log("Password hash:", hash);

// CodeQL flags hardcoded credentials
const dbPassword = "SuperSecretHardcodedPassword123!";

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

Hardcoding sensitive credentials like database passwords directly in the source code is a major security risk. Store credentials in environment variables or a secrets manager instead.

Suggested change
const dbPassword = "SuperSecretHardcodedPassword123!";
const dbPassword = process.env.DB_PASSWORD;