Rook
AI red-teamer · 42nights
ScansMacintosh1011/rook-demo-target

Hardcoded production API key constant in server.js exposes live credentials

critical10

secrets-in-source · server.js:11-11

Introduced in 15b34d5cc6 by 42nights on 2026-06-03

Summary

server.js:11 declares a module-level constant `API_KEY` containing what appears to be a live secret (`sk_live_rook_demo_51HxConfidential000ExampleKey`). Secrets must be loaded at runtime from a secrets manager or environment variable, never embedded as a string literal in source. Because the value is committed to the repository, it is exposed to anyone with read access to the code, to anyone who can trigger source disclosure (e.g., misconfigured static hosting, stack traces, error pages, public mirrors), and to every downstream artifact (Docker images, CI logs, backups, IDE telemetry).

Impact. Anyone who reads the source code — current and former developers, contractors, anyone with repo or CI access, or an attacker who obtains a copy of the codebase or a built artifact — gets a working `sk_live_*` key. With that key they can directly call the upstream API as your application: charge or refund customers, read PII, exfiltrate data, exhaust your billing quota, or pivot to other services that trust this key. The damage persists until the key is rotated and every cached copy (git history, images, backups) is also scrubbed.

Vulnerable code — server.js

🔴 const API_KEY = "«redacted»";

Static evidence

# Secret located by static analysis at server.js:11

Exploit transcript

$ # secret present in source at server.js:11
const API_KEY = "«redacted»";

Confirmed: Hardcoded secret in server.js:11

CVSS v3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L10 (critical)

Recommended fix

AI-suggested fix — review before applying (derived from analysis of untrusted repo content):

Remove the literal, load from environment, and fail fast if absent:

```diff
- const API_KEY = "«redacted»";
+ const API_KEY = «redacted»;
+ if (!API_KEY) {
+   throw new Error("API_KEY environment variable is required");
+ }
```

Additional required steps: (1) immediately rotate/revoke the leaked key at the provider; (2) purge it from git history (`git filter-repo` or BFG) and force-push; (3) add the key pattern to a pre-commit secret scanner (gitleaks, trufflehog); (4) store production secrets in a managed secret store (AWS Secrets Manager, GCP Secret Manager, Vault) and inject at deploy time; (5) add `.env` to `.gitignore` and ship a `.env.example` with placeholder values only.

Ship the fix

Rook found it and proved it. Hand the finding — with its working exploit as a failing test — to Otis to write the fix PR.