Hardcoded SecureString Parameter Default Value

  • Query id: 4d2cf896-c053-4be5-9c95-8b4771112f29
  • Query name: Hardcoded SecureString Parameter Default Value
  • Platform: AzureResourceManager
  • Severity: High
  • Category: Secret Management
  • CWE: 798
  • URL: Github

Description

Secure parameters should not have hardcoded default value
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - bicep file
@secure()
param adminPassword string = 'HardcodedPassword'
param adminLogin string
param sqlServerName string

resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
  name: sqlServerName
  location: resourceGroup().location
  tags: {}
  properties: {
    administratorLogin: adminLogin
    administratorLoginPassword: adminPassword
    version: '12.0'
  }
}
Positive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {
    "adminPassword": {
      "defaultValue": "HardcodedPassword",
      "type": "secureString"
    },
    "adminLogin": {
      "type": "string"
    },
    "sqlServerName": {
      "type": "string"
    }
  },
  "variables": {},
  "functions": [],
  "resources": [
    {
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2015-05-01-preview",
      "name": "[parameters('sqlServerName')]",
      "location": "[resourceGroup().location]",
      "tags": {},
      "properties": {
        "administratorLogin": "[parameters('adminLogin')]",
        "administratorLoginPassword": "[parameters('adminPassword')]",
        "version": "12.0"
      }
    }
  ],
  "outputs": {}
}
Positive test num. 3 - bicep file
@secure()
param adminPassword string = 'HardcodedPassword'
param adminLogin string
param sqlServerName string

resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
  name: sqlServerName
  location: resourceGroup().location
  tags: {}
  properties: {
    administratorLogin: adminLogin
    administratorLoginPassword: adminPassword
    version: '12.0'
  }
}

Positive test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {
        "adminPassword": {
          "defaultValue": "HardcodedPassword",
          "type": "secureString"
        },
        "adminLogin": {
          "type": "string"
        },
        "sqlServerName": {
          "type": "string"
        }
      },
      "variables": {},
      "functions": [],
      "resources": [
        {
          "type": "Microsoft.Sql/servers",
          "apiVersion": "2015-05-01-preview",
          "name": "[parameters('sqlServerName')]",
          "location": "[resourceGroup().location]",
          "tags": {},
          "properties": {
            "administratorLogin": "[parameters('adminLogin')]",
            "administratorLoginPassword": "[parameters('adminPassword')]",
            "version": "12.0"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}

Code samples without security vulnerabilities

Negative test num. 1 - bicep file
@secure()
param secureParameter string = newGuid()
param adminLogin string
param sqlServerName string

resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
  name: sqlServerName
  location: resourceGroup().location
  tags: {}
  properties: {
    administratorLogin: adminLogin
    administratorLoginPassword: secureParameter
    version: '12.0'
  }
}
Negative test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {
    "secureParameter": {
      "type": "secureString",
      "defaultValue": "[newGuid()]"
    },
    "adminLogin": {
      "type": "string"
    },
    "sqlServerName": {
      "type": "string"
    }
  },
  "variables": {},
  "functions": [],
  "resources": [
    {
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2015-05-01-preview",
      "name": "[parameters('sqlServerName')]",
      "location": "[resourceGroup().location]",
      "tags": {},
      "properties": {
        "administratorLogin": "[parameters('adminLogin')]",
        "administratorLoginPassword": "[parameters('secureParameter')]",
        "version": "12.0"
      }
    }
  ],
  "outputs": {}
}
Negative test num. 3 - bicep file
@secure()
param adminPassword string
param adminLogin string
param sqlServerName string

resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
  name: sqlServerName
  location: resourceGroup().location
  tags: {}
  properties: {
    administratorLogin: adminLogin
    administratorLoginPassword: adminPassword
    version: '12.0'
  }
}

Negative test num. 4 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {
    "adminPassword": {
      "type": "secureString"
    },
    "adminLogin": {
      "type": "string"
    },
    "sqlServerName": {
      "type": "string"
    }
  },
  "variables": {},
  "functions": [],
  "resources": [
    {
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2015-05-01-preview",
      "name": "[parameters('sqlServerName')]",
      "location": "[resourceGroup().location]",
      "tags": {},
      "properties": {
        "administratorLogin": "[parameters('adminLogin')]",
        "administratorLoginPassword": "[parameters('adminPassword')]",
        "version": "12.0"
      }
    }
  ],
  "outputs": {}
}
Negative test num. 5 - bicep file
@secure()
param secureParameter string = newGuid()
param adminLogin string
param sqlServerName string

resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
  name: sqlServerName
  location: resourceGroup().location
  tags: {}
  properties: {
    administratorLogin: adminLogin
    administratorLoginPassword: secureParameter
    version: '12.0'
  }
}
Negative test num. 6 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {
        "secureParameter": {
          "type": "secureString",
          "defaultValue": "[newGuid()]"
        },
        "adminLogin": {
          "type": "string"
        },
        "sqlServerName": {
          "type": "string"
        }
      },
      "variables": {},
      "functions": [],
      "resources": [
        {
          "type": "Microsoft.Sql/servers",
          "apiVersion": "2015-05-01-preview",
          "name": "[parameters('sqlServerName')]",
          "location": "[resourceGroup().location]",
          "tags": {},
          "properties": {
            "administratorLogin": "[parameters('adminLogin')]",
            "administratorLoginPassword": "[parameters('secureParameter')]",
            "version": "12.0"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Negative test num. 7 - bicep file
@secure()
param adminPassword string
param adminLogin string
param sqlServerName string

resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
  name: sqlServerName
  location: resourceGroup().location
  tags: {}
  properties: {
    administratorLogin: adminLogin
    administratorLoginPassword: adminPassword
    version: '12.0'
  }
}
Negative test num. 8 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {
        "adminPassword": {
          "type": "secureString"
        },
        "adminLogin": {
          "type": "string"
        },
        "sqlServerName": {
          "type": "string"
        }
      },
      "variables": {},
      "functions": [],
      "resources": [
        {
          "type": "Microsoft.Sql/servers",
          "apiVersion": "2015-05-01-preview",
          "name": "[parameters('sqlServerName')]",
          "location": "[resourceGroup().location]",
          "tags": {},
          "properties": {
            "administratorLogin": "[parameters('adminLogin')]",
            "administratorLoginPassword": "[parameters('adminPassword')]",
            "version": "12.0"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}