Metastatic.Analysis.BusinessLogic.HardcodedValue (Metastatic v0.10.4)

View Source

Detects hardcoded URLs, IP addresses, and other sensitive values in string literals.

This analyzer identifies string literals containing URLs, IP addresses, and other values that should be externalized to configuration, making code more flexible and preventing accidental exposure of sensitive information.

Cross-Language Applicability

This is a universal anti-pattern that applies to all languages:

  • Python: Hardcoded strings in code
  • JavaScript/TypeScript: String literals with URLs/IPs
  • Elixir: Hardcoded binaries or strings
  • Go: String constants in code
  • Java/C#: Hardcoded string literals
  • Rust: String literals

Examples

Bad (Python)

API_URL = "https://api.example.com"
DB_HOST = "192.168.1.100"

Good (Python)

import os
API_URL = os.getenv("API_URL")
DB_HOST = os.getenv("DB_HOST")

Bad (JavaScript)

const apiUrl = "https://api.example.com";
const dbHost = "10.0.0.5";

Good (JavaScript)

const apiUrl = process.env.API_URL;
const dbHost = process.env.DB_HOST;

Bad (Elixir)

@api_url "https://api.example.com"
@db_host "192.168.1.100"

Good (Elixir)

@api_url Application.get_env(:my_app, :api_url)
@db_host System.get_env("DB_HOST")

Configuration

  • :exclude_localhost - Don't flag localhost/127.0.0.1 (default: true)
  • :exclude_local_ips - Don't flag private IP ranges (default: true)

Detection Strategy

Checks string literals for:

  1. URLs (http://, https://, ftp://, etc.)
  2. IP addresses (IPv4 format)
  3. Excludes common development values (localhost, 127.0.0.1, 192.168.x.x, etc.)