Qt-Security-QUrlSetPassword

Check QUrl::setPassword and others

Required inputs: IR

The QUrl class of the Qt framework allows to parse and manipulate URLs through various methods. This rule flags all calls to the methods QUrl::setPassword(), QUrl::setUserInfo() and QUrl::setUserName() that rely on hardcoded credentials. Hardcoded credentials pose a security risk and should be avoided as they can be easily extracted from the binary. Using such hardcoded secrets is always an indicator that there is a fundamental security issue in the design of the application.

Possible Messages

Key	Text	Severity	Disabled
static_data	The method {} is called with {}.	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

flag_setpassword

flag_setpassword : bool = True

Flag all calls to QUrl::setPassword() with a static password.

 

flag_setuserinfo

flag_setuserinfo : bool = True

Flag all calls to QUrl::setUserInfo() with a static password and username.

 

flag_setusername

flag_setusername : bool = True

Flag all calls to QUrl::setUserName() with a static username.