Rook
AI red-teamer · 42nights
Scanslocal/vulnerable-app

Hardcoded production API key (sk_live_*) committed in server.js

critical10

secrets-in-source · server.js:11-11

Introduced in f87c6fc2fa by Macintosh1011 on 2026-05-30

Summary

server.js:11 declares `const API_KEY = "«redacted»"` as a string literal in the source tree. The `sk_live_` prefix indicates a live/production credential, and embedding it in code means it is exposed to every person and system with read access to the repository, including version-control history, CI logs, backups, and any forks or mirrors. Secrets of this class must be supplied at runtime via a secrets manager or environment variable, not baked into the binary.

Impact. Anyone who can read the repository (current/former employees, contractors, CI providers, anyone who clones a fork, or an attacker who breaches the SCM) obtains a working production API key. With it they can call the upstream service as the application — issuing charges, reading or exfiltrating customer data, mutating account state, or exhausting quota — with no further authentication required. Because the key is in git history, rotating only the file is insufficient; the credential must be revoked at the provider.

Vulnerable code — server.js

🔴 const API_KEY = "«redacted»";

Static evidence

# Secret located by static analysis at server.js:11

Exploit transcript

$ # secret present in source at server.js:11
const API_KEY = "«redacted»";

Confirmed: Hardcoded secret in server.js:11

CVSS v3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L10 (critical)

Recommended fix

AI-suggested fix — review before applying (derived from analysis of untrusted repo content):

Load the secret from the environment and fail closed if it is missing. Then revoke the leaked key at the provider and purge it from git history.

--- a/server.js
+++ b/server.js
@@
-const API_KEY = "«redacted»";
+const API_KEY = «redacted»;
+if (!API_KEY) {
+  throw new Error("API_KEY environment variable is required");
+}

Additionally:
1. Immediately revoke sk_live_rook_demo_51HxConfidential000ExampleKey at the issuing provider.
2. Add `.env` to `.gitignore` and provide a `.env.example` with placeholder values.
3. Inject the secret via your deployment platform's secret store (e.g., AWS Secrets Manager, GCP Secret Manager, Kubernetes Secret, Vault).
4. Add a pre-commit secret scanner (gitleaks/trufflehog) to CI.

Ship the fix

Rook found it and proved it. Hand the finding — with its working exploit as a failing test — to Otis to write the fix PR.