-
Notifications
You must be signed in to change notification settings - Fork 31
LC0043
To encourage the adoption of the SecretText data type over the standard Text type in managing sensitive textual values, this rule has been created.
SecretTextdata type is designed to protect sensitive values from being exposed through the AL debugger when doing regular or snapshot debugging. Its use is recommended for applications that need to handle any kind of credentials like API keys, custom licensing tokens, or similar.
Protecting sensitive values with the SecretText data type - Business Central | Microsoft Learn
Covering all potential scenarios where sensitive textual values may arise is challenging. Currently, the rule focuses on HttpHeaders and the Rest Client codeunit.
If you have additional ideas, please initiate a new discussion so that we can collaboratively refine the rule as needed.
The rule will check on the .Add(), .TryAddWithoutValidation() and .GetValues() in combination with the name Authorization.
var
RequestHeaders: HttpHeaders;
procedure CouldExposeCredentials(UnprotectedCredentials: Text)
begin
RequestHeaders.Add('Authorization', UnprotectedCredentials);
end;
procedure CredentialsAreProtected(Credentials: SecretText)
begin
RequestHeaders.Add('Authorization', Credentials);
end;The System Application provides a Rest Client codeunit, where the SetAuthorizationHeader method already only accepts a SecretText. When using the SetDefaultRequestHeader method, in combination with the name Authorization, the rule will verify if the value is a SecretText.
var
RestClient: Codeunit "Rest Client";
AuthorizationTok: Label 'Authorization', Locked = true;
procedure CouldExposeCredentials(UnprotectedCredentials: Text)
begin
RestClient.SetDefaultRequestHeader(AuthorizationTok, UnprotectedCredentials);
end;
procedure CredentialsAreProtected(Credentials: SecretText)
begin
RestClient.SetDefaultRequestHeader(AuthorizationTok, Credentials);
end;The LinterCop has its limitations in analysis, with one notable challenge being the determination of Text variable values during compile-time. Unfortunately, the described scenario below falls outside the scope of detection for this rule.
procedure SetUnprotectedCredentials()
begin
MySetAuthorizationHeader('Authorization', 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs');
end;
procedure MySetAuthorizationHeader(Name: Text; UnprotectedCredentials: Text)
var
RequestHeaders: HttpHeaders;
begin
RequestHeaders.Add(Name, UnprotectedCredentials);
end;- Protecting sensitive values with the SecretText data type - Business Central | Microsoft Learn
- Use SecretText type to protect credentials and sensitive textual values from being revealed | Dynamics 365 2023 release wave 2 plan
- Dynamics 365 Business Central: introducing the new SecretText data type. – Stefano Demiliani
- Business Central 2023 wave 2 (BC23): Use SecretText type to protect credentials and sensitive textual values from being revealed (New SecretText type) | Dynamics 365 Lab (yzhums.com)