diff --git a/docker/ploughshares/app.py b/docker/ploughshares/app.py index 86bd12b..03cac62 100644 --- a/docker/ploughshares/app.py +++ b/docker/ploughshares/app.py @@ -34,7 +34,8 @@ if not VERSION: # Initialize the Flask app app = Flask(__name__) -app.secret_key = 'supersecretkey' +# Use environment variable for Flask secret key with a development-safe default +app.secret_key = os.environ.get('SECRET_KEY', 'dev-insecure-secret-key') app.config['UPLOAD_FOLDER'] = 'uploads' app.config['VERSION'] = VERSION @@ -973,4 +974,5 @@ if __name__ == '__main__': logger.info(f"Starting Ploughshares v{VERSION}") bootstrap_database() port = int(os.environ.get('FLASK_RUN_PORT', 5001)) - app.run(host='0.0.0.0', port=port) + host = os.environ.get('FLASK_RUN_HOST', '0.0.0.0') + app.run(host=host, port=port) diff --git a/docker/ploughshares/init_db.py b/docker/ploughshares/init_db.py index dd7c48b..1f2a807 100644 --- a/docker/ploughshares/init_db.py +++ b/docker/ploughshares/init_db.py @@ -2,13 +2,19 @@ import psycopg2 import os def init_db(): - # Database connection parameters + # Database connection parameters (use env vars with sensible defaults) + host = os.environ.get('POSTGRES_HOST', 'db') + port = int(os.environ.get('POSTGRES_PORT', 5432)) + dbname = os.environ.get('POSTGRES_DB', 'ploughshares') + user = os.environ.get('POSTGRES_USER', 'ploughshares') + password = os.environ.get('POSTGRES_PASSWORD', 'ploughshares_password') + conn = psycopg2.connect( - host="db", - port=5432, - dbname="ploughshares", - user="ploughshares", - password="ploughshares_password" + host=host, + port=port, + dbname=dbname, + user=user, + password=password ) conn.autocommit = True cursor = conn.cursor() diff --git a/final-report.md b/final-report.md deleted file mode 100644 index fdb2ed4..0000000 --- a/final-report.md +++ /dev/null @@ -1,80 +0,0 @@ -# Ploughshares Application Test and Deployment Report - -## Deployment Status - -✅ **Application successfully deployed** -- Web application running at http://localhost:5001 -- API documentation available at http://localhost:5001/api-docs -- Database connected and healthy - -## Test Results - -### Functionality Tests -✅ **All tests passed** -- Core imports verified -- API routes verified - -### Code Quality Tests -✅ **All tests passed** -- Python syntax valid -- No inappropriate print statements (in files other than app.py) - -### Dependency Tests -✅ **All tests passed** -- requirements.txt exists and is valid -- No known vulnerable package versions - -## Security Scan Results - -### Dependency Vulnerabilities (Safety) - -✅ **No vulnerabilities detected in dependencies** - -All dependencies have been updated to secure versions: -- Flask: 2.2.2 → 3.1.1 -- psycopg2-binary: 2.9.3 → 2.9.9 -- requests: 2.28.1 → 2.32.2 -- gunicorn: 20.1.0 → 23.0.0 -- Werkzeug: 2.3.7 → 3.1.0 (updated from 3.0.6 to resolve dependency conflict) -- Jinja2: 3.1.2 → 3.1.6 -- itsdangerous: 2.1.2 → 2.2.0 (updated to resolve dependency conflict) - -### Code Security Issues (Bandit) - -⚠️ **5 potential security issues detected** - -1. **Hardcoded Password String** (Severity: Low, Confidence: Medium) - - Location: app.py:20 - - Issue: `app.secret_key = 'supersecretkey'` - - CWE-259: Use of Hard-coded Password - -2. **Binding to All Interfaces** (Severity: Medium, Confidence: Medium) - - Location: app.py:220 - - Issue: `app.run(host='0.0.0.0', port=port)` - - CWE-605: Multiple Binds to the Same Port - -3. **Hardcoded Password in Function Argument** (Severity: Low, Confidence: Medium) - - Location: init_db.py:6-11 - - Issue: `password="testpass"` in database connection - - CWE-259: Use of Hard-coded Password - -4-5. **Duplicate issues in app_fixed.py** (backup file) - -## Recommendations - -### Immediate Actions -1. ✅ **Update vulnerable dependencies** - COMPLETED -2. **Replace hardcoded secrets** with environment variables -3. **Restrict network binding** in production environments - -### Long-term Improvements -1. Implement **secret management** solution -2. Add **continuous security scanning** in CI/CD pipeline -3. Establish **dependency update policy** - -## Next Steps -1. Run `./install-codechecks.sh` to install all required code quality tools -2. Address remaining security findings by: - - Moving secrets to environment variables - - Limiting network binding in production - - Removing hardcoded passwords in test scripts \ No newline at end of file