Hardcoded Discord credentials in source codeSCT-1046

Disclosing Discord credentials in the source code can lead to unauthorized access to Discord resources, which can result in a data breach and other security issues. Hardcoding these credentials in the source code can make it easier for attackers to access the Discord resources using the leaked credentials.

If Discord credentials have been leaked, it is recommended to rotate the credentials immediately to mitigate any potential vulnerabilities.

To fix this issue, it is recommended to store the Discord credentials in a secure location, such as environment variables or a configuration file outside the codebase. This ensures that the credentials are not hardcoded in the source code and are kept separate from the codebase. Using environment variables or configuration files also makes it easier to manage the credentials as they can be updated without modifying the source code.

Bad practice

import discord

CLIENT_ID = '123456789012345678'
CLIENT_SECRET = 'a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6'

client = discord.Client()

@client.event
async def on_ready():
    print(f'We have logged in as {client.user}')

Recommended

import discord
import os

client = discord.Client()

@client.event
async def on_ready():
    print(f'We have logged in as {client.user}')

And then, set the Discord credentials in environment variables:

export DISCORD_CLIENT_ID=123456789012345678
export DISCORD_CLIENT_SECRET=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6

And access them in your code:

client_id = os.getenv('DISCORD_CLIENT_ID')
client_secret = os.getenv('DISCORD_CLIENT_SECRET')

client.run(client_id, client_secret)