JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
C#

CSHARP.HARDCODED.PASSWD.FILE : Password in Property File (C#)

Summary

A password is retrieved from a property file.

Password manipulation can be risky, for instance if passwords are stored in plain in a property file. Moreover, passwords stored as program constants expose to the risk of inferring the password by simply looking at the binary executable of the code. This checker identifies situations when password manipulation is done in an unsafe way.

Properties

Class Name Password in Property File (C#)
Significance security
Mnemonic CSHARP.HARDCODED.PASSWD.FILE
Categories
CWE CWE:522 Insufficiently Protected Credentials
OWASP-2017 OWASP-2017:A2 Broken authentication
OWASP-2021 OWASP-2021:A4 Insecure design
  OWASP-2021:A7 Identification and authorization failures
OWASP-2025 OWASP-2025:A06 Insecure Design
  OWASP-2025:A07 Authentication Failures
Availability Available for C# only.
Enabling Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += discard class="Password in Property File (C#)"

Example 

using System;
using System.Net;


namespace DocumentationExamples
{

    public class Passwords
    {
        private static void Main(string[] args)
        { }

       private static readonly string pwd = "password";
        public void Test()
        {
            string s = "password";
            Environment.GetEnvironmentVariable("password");                                                  // Password in Property File (C#) warning issued here
            Environment.GetEnvironmentVariable(pwd);                                                         // Password in Property File (C#) warning issued here
            Environment.GetEnvironmentVariable(s);                                                           // Password in Property File (C#) warning issued here
            Environment.GetEnvironmentVariable("www.juliasoft.password");                                    // Password in Property File (C#) warning issued here
            Environment.GetEnvironmentVariable("password", EnvironmentVariableTarget.Machine);               // Password in Property File (C#) warning issued here
            Environment.GetEnvironmentVariable("www.juliasoft.password", EnvironmentVariableTarget.Process); // Password in Property File (C#) warning issued here
            Environment.SetEnvironmentVariable("com.julia.password", "goofy mouse");                         // Hardcoded Password (C#) warning issued here
            Environment.SetEnvironmentVariable("com.julia.password", s);                                     // Hardcoded Password (C#) warning issued here
            Environment.SetEnvironmentVariable("com.julia.password", s + " and " + pwd);
            NetworkCredential nc = new NetworkCredential("www.juliasoft.com", "silvio");                     // Hardcoded Password (C#) warning issued here
        }
    }
}

Resolution

Avoid storing passwords in property files and use encrypted files instead. Do not use program constants for passwords, store them in encrypted files instead.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.

 

To report problems with this documentation, please visit https://support.codesecure.com/.