Symfony No Use Default Secret

ID

php.symfony_no_use_default_secret

Severity

high

Resource

Risky Values

Language

Php

Tags

CWE:359, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:6.5.3, symfony

Description

This rule ensures that the default application secret in Symfony is replaced with a unique, secure value to prevent unauthorized access and data exposure.

Rationale

Using a default application secret like ThisTokenIsNotSoSecretChangeIt in a Symfony application can lead to significant security risks. The application secret is crucial for operations involving token signing, encryption, and securing sensitive information.

If not uniquely set, attackers can predict or replicate the secret, leading to potential breaches and unauthorized data manipulation. Therefore, it is essential to replace default secrets with secure, randomly generated values.

// Example of default secret (Insecure)
$container->setParameter('kernel.secret', 'ThisTokenIsNotSoSecretChangeIt'); // FLAW

Also, this is configurable in the configuration descriptors found within the app folder for Symfony 3.x and earlier, or within the config/ folder for newer versions of Symfony:

# This file is auto-generated during the composer install
parameters:
  locale: en
  secret: ThisTokenIsNotSoSecretChangeIt  # FLAW

Remediation

Replace the default value with a unique secure one that it’s read from an environment variable.

$container->setParameter('kernel.secret', '%env(APP_SECRET)%');

References

  • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor.