Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions vulnerable-test.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
const crypto = require('crypto');
// CodeQL flags MD5 as a weak/broken cryptographic algorithm
const hash = crypto.createHash('md5').update('secret').digest('hex');

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

MD5 is a cryptographically broken hashing algorithm and should not be used for hashing passwords due to collision vulnerabilities. Use a strong, slow hashing algorithm like bcrypt or the built-in crypto.scrypt instead.

Suggested change
const hash = crypto.createHash('md5').update('secret').digest('hex');
const hash = crypto.scryptSync('secret', 'salt', 64).toString('hex');

console.log("Password hash:", hash);

// CodeQL flags hardcoded credentials
const dbPassword = "SuperSecretHardcodedPassword123!";

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

Hardcoding credentials in source code exposes them to unauthorized access and version control history leaks. Use environment variables or a secrets manager to retrieve sensitive configuration values.

Suggested change
const dbPassword = "SuperSecretHardcodedPassword123!";
const dbPassword = process.env.DB_PASSWORD;