Security improvements: Replace hardcoded secrets with env vars and remove stale report
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/push/woodpecker Pipeline was successful
Details
This commit is contained in:
parent
d4ed8cfa08
commit
d6e10b1b51
|
|
@ -34,7 +34,8 @@ if not VERSION:
|
|||
|
||||
# Initialize the Flask app
|
||||
app = Flask(__name__)
|
||||
app.secret_key = 'supersecretkey'
|
||||
# Use environment variable for Flask secret key with a development-safe default
|
||||
app.secret_key = os.environ.get('SECRET_KEY', 'dev-insecure-secret-key')
|
||||
app.config['UPLOAD_FOLDER'] = 'uploads'
|
||||
app.config['VERSION'] = VERSION
|
||||
|
||||
|
|
@ -973,4 +974,5 @@ if __name__ == '__main__':
|
|||
logger.info(f"Starting Ploughshares v{VERSION}")
|
||||
bootstrap_database()
|
||||
port = int(os.environ.get('FLASK_RUN_PORT', 5001))
|
||||
app.run(host='0.0.0.0', port=port)
|
||||
host = os.environ.get('FLASK_RUN_HOST', '0.0.0.0')
|
||||
app.run(host=host, port=port)
|
||||
|
|
|
|||
|
|
@ -2,13 +2,19 @@ import psycopg2
|
|||
import os
|
||||
|
||||
def init_db():
|
||||
# Database connection parameters
|
||||
# Database connection parameters (use env vars with sensible defaults)
|
||||
host = os.environ.get('POSTGRES_HOST', 'db')
|
||||
port = int(os.environ.get('POSTGRES_PORT', 5432))
|
||||
dbname = os.environ.get('POSTGRES_DB', 'ploughshares')
|
||||
user = os.environ.get('POSTGRES_USER', 'ploughshares')
|
||||
password = os.environ.get('POSTGRES_PASSWORD', 'ploughshares_password')
|
||||
|
||||
conn = psycopg2.connect(
|
||||
host="db",
|
||||
port=5432,
|
||||
dbname="ploughshares",
|
||||
user="ploughshares",
|
||||
password="ploughshares_password"
|
||||
host=host,
|
||||
port=port,
|
||||
dbname=dbname,
|
||||
user=user,
|
||||
password=password
|
||||
)
|
||||
conn.autocommit = True
|
||||
cursor = conn.cursor()
|
||||
|
|
|
|||
|
|
@ -1,80 +0,0 @@
|
|||
# Ploughshares Application Test and Deployment Report
|
||||
|
||||
## Deployment Status
|
||||
|
||||
✅ **Application successfully deployed**
|
||||
- Web application running at http://localhost:5001
|
||||
- API documentation available at http://localhost:5001/api-docs
|
||||
- Database connected and healthy
|
||||
|
||||
## Test Results
|
||||
|
||||
### Functionality Tests
|
||||
✅ **All tests passed**
|
||||
- Core imports verified
|
||||
- API routes verified
|
||||
|
||||
### Code Quality Tests
|
||||
✅ **All tests passed**
|
||||
- Python syntax valid
|
||||
- No inappropriate print statements (in files other than app.py)
|
||||
|
||||
### Dependency Tests
|
||||
✅ **All tests passed**
|
||||
- requirements.txt exists and is valid
|
||||
- No known vulnerable package versions
|
||||
|
||||
## Security Scan Results
|
||||
|
||||
### Dependency Vulnerabilities (Safety)
|
||||
|
||||
✅ **No vulnerabilities detected in dependencies**
|
||||
|
||||
All dependencies have been updated to secure versions:
|
||||
- Flask: 2.2.2 → 3.1.1
|
||||
- psycopg2-binary: 2.9.3 → 2.9.9
|
||||
- requests: 2.28.1 → 2.32.2
|
||||
- gunicorn: 20.1.0 → 23.0.0
|
||||
- Werkzeug: 2.3.7 → 3.1.0 (updated from 3.0.6 to resolve dependency conflict)
|
||||
- Jinja2: 3.1.2 → 3.1.6
|
||||
- itsdangerous: 2.1.2 → 2.2.0 (updated to resolve dependency conflict)
|
||||
|
||||
### Code Security Issues (Bandit)
|
||||
|
||||
⚠️ **5 potential security issues detected**
|
||||
|
||||
1. **Hardcoded Password String** (Severity: Low, Confidence: Medium)
|
||||
- Location: app.py:20
|
||||
- Issue: `app.secret_key = 'supersecretkey'`
|
||||
- CWE-259: Use of Hard-coded Password
|
||||
|
||||
2. **Binding to All Interfaces** (Severity: Medium, Confidence: Medium)
|
||||
- Location: app.py:220
|
||||
- Issue: `app.run(host='0.0.0.0', port=port)`
|
||||
- CWE-605: Multiple Binds to the Same Port
|
||||
|
||||
3. **Hardcoded Password in Function Argument** (Severity: Low, Confidence: Medium)
|
||||
- Location: init_db.py:6-11
|
||||
- Issue: `password="testpass"` in database connection
|
||||
- CWE-259: Use of Hard-coded Password
|
||||
|
||||
4-5. **Duplicate issues in app_fixed.py** (backup file)
|
||||
|
||||
## Recommendations
|
||||
|
||||
### Immediate Actions
|
||||
1. ✅ **Update vulnerable dependencies** - COMPLETED
|
||||
2. **Replace hardcoded secrets** with environment variables
|
||||
3. **Restrict network binding** in production environments
|
||||
|
||||
### Long-term Improvements
|
||||
1. Implement **secret management** solution
|
||||
2. Add **continuous security scanning** in CI/CD pipeline
|
||||
3. Establish **dependency update policy**
|
||||
|
||||
## Next Steps
|
||||
1. Run `./install-codechecks.sh` to install all required code quality tools
|
||||
2. Address remaining security findings by:
|
||||
- Moving secrets to environment variables
|
||||
- Limiting network binding in production
|
||||
- Removing hardcoded passwords in test scripts
|
||||
Loading…
Reference in New Issue