保護DataHogo
Security Encyclopedia/Database Connections
highCWE-312OWASP A02:2021

Connection String with Inline Password

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

How It Works

A connection string like postgresql://myuser:mypassword@prod-db.example.com/appdb looks convenient to hardcode, but the moment it touches your git history it's compromised forever — even if you delete the line later. Automated tools scan GitHub for patterns like postgresql:// and mysql:// with passwords continuously. One public commit exposes your entire database.

Vulnerable Code
// BAD: full connection string with password hardcoded in source
const pool = new Pool({
  connectionString: 'postgresql://appuser:Sup3rS3cr3t!@prod-db.rds.amazonaws.com/myapp'
});
Secure Code
// GOOD: connection string stored in environment variable
const pool = new Pool({
  connectionString: process.env.DATABASE_URL
  // DATABASE_URL=postgresql://appuser:password@host/db (in .env, never committed)
});

Real-World Example

Automated scanners like TruffleHog and Gitleaks scan public GitHub repositories 24/7 and find hardcoded database credentials within minutes. In 2024, researchers found over 100,000 valid database connection strings in public GitHub repos — most were still active.

How to Prevent It

  • Move all connection strings to environment variables immediately and add them to .env (which is in .gitignore)
  • If credentials were ever committed, rotate them now — git history is permanent and the leaked password is worthless once rotated
  • Use git-secrets or gitleaks as a pre-commit hook to prevent credentials from being committed
  • Audit your full git history with: git log -S 'postgresql://' to find any past leaks
  • Use a secrets manager for production — never .env files in production environments

Affected Technologies

Node.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

MongoDB Without Authentication

critical

Your MongoDB connection has no authentication credentials, allowing anyone who can reach the database port to read, modify, or delete all data.

CWE-306OWASP A07:2021