Hardcoded SecureString Parameter Default Value
- Query id: 4d2cf896-c053-4be5-9c95-8b4771112f29
- Query name: Hardcoded SecureString Parameter Default Value
- Platform: AzureResourceManager
- Severity: High
- Category: Secret Management
- CWE: 798
- URL: Github
Description¶
Secure parameters should not have hardcoded default value
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
@secure()
param adminPassword string = 'HardcodedPassword'
param adminLogin string
param sqlServerName string
resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
name: sqlServerName
location: resourceGroup().location
tags: {}
properties: {
administratorLogin: adminLogin
administratorLoginPassword: adminPassword
version: '12.0'
}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {
"adminPassword": {
"defaultValue": "HardcodedPassword",
"type": "secureString"
},
"adminLogin": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"name": "[parameters('sqlServerName')]",
"location": "[resourceGroup().location]",
"tags": {},
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('adminPassword')]",
"version": "12.0"
}
}
],
"outputs": {}
}
Positive test num. 3 - bicep file
@secure()
param adminPassword string = 'HardcodedPassword'
param adminLogin string
param sqlServerName string
resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
name: sqlServerName
location: resourceGroup().location
tags: {}
properties: {
administratorLogin: adminLogin
administratorLoginPassword: adminPassword
version: '12.0'
}
}
Positive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {
"adminPassword": {
"defaultValue": "HardcodedPassword",
"type": "secureString"
},
"adminLogin": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"name": "[parameters('sqlServerName')]",
"location": "[resourceGroup().location]",
"tags": {},
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('adminPassword')]",
"version": "12.0"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
@secure()
param secureParameter string = newGuid()
param adminLogin string
param sqlServerName string
resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
name: sqlServerName
location: resourceGroup().location
tags: {}
properties: {
administratorLogin: adminLogin
administratorLoginPassword: secureParameter
version: '12.0'
}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {
"secureParameter": {
"type": "secureString",
"defaultValue": "[newGuid()]"
},
"adminLogin": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"name": "[parameters('sqlServerName')]",
"location": "[resourceGroup().location]",
"tags": {},
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('secureParameter')]",
"version": "12.0"
}
}
],
"outputs": {}
}
Negative test num. 3 - bicep file
@secure()
param adminPassword string
param adminLogin string
param sqlServerName string
resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
name: sqlServerName
location: resourceGroup().location
tags: {}
properties: {
administratorLogin: adminLogin
administratorLoginPassword: adminPassword
version: '12.0'
}
}
Negative test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {
"adminPassword": {
"type": "secureString"
},
"adminLogin": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"name": "[parameters('sqlServerName')]",
"location": "[resourceGroup().location]",
"tags": {},
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('adminPassword')]",
"version": "12.0"
}
}
],
"outputs": {}
}
Negative test num. 5 - bicep file
@secure()
param secureParameter string = newGuid()
param adminLogin string
param sqlServerName string
resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
name: sqlServerName
location: resourceGroup().location
tags: {}
properties: {
administratorLogin: adminLogin
administratorLoginPassword: secureParameter
version: '12.0'
}
}
Negative test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {
"secureParameter": {
"type": "secureString",
"defaultValue": "[newGuid()]"
},
"adminLogin": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"name": "[parameters('sqlServerName')]",
"location": "[resourceGroup().location]",
"tags": {},
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('secureParameter')]",
"version": "12.0"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Negative test num. 7 - bicep file
@secure()
param adminPassword string
param adminLogin string
param sqlServerName string
resource sqlServer 'Microsoft.Sql/servers@2015-05-01-preview' = {
name: sqlServerName
location: resourceGroup().location
tags: {}
properties: {
administratorLogin: adminLogin
administratorLoginPassword: adminPassword
version: '12.0'
}
}
Negative test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {
"adminPassword": {
"type": "secureString"
},
"adminLogin": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"name": "[parameters('sqlServerName')]",
"location": "[resourceGroup().location]",
"tags": {},
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('adminPassword')]",
"version": "12.0"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}