colin
/
ploughshares
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security improvements: Replace hardcoded secrets with env vars and remove stale report
ci/woodpecker/push/woodpecker Pipeline was successful Details

This commit is contained in:
colin 2025-08-27 21:27:37 -04:00
parent d4ed8cfa08
commit d6e10b1b51
3 changed files with 16 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docker/ploughshares/app.py
View File

@ -34,7 +34,8 @@ if not VERSION:
# Initialize the Flask app # Initialize the Flask app
app = Flask(__name__) app = Flask(__name__)
app.secret_key = 'supersecretkey' # Use environment variable for Flask secret key with a development-safe default
app.secret_key = os.environ.get('SECRET_KEY', 'dev-insecure-secret-key')
app.config['UPLOAD_FOLDER'] = 'uploads' app.config['UPLOAD_FOLDER'] = 'uploads'
app.config['VERSION'] = VERSION app.config['VERSION'] = VERSION
@ -973,4 +974,5 @@ if __name__ == '__main__':
logger.info(f"Starting Ploughshares v{VERSION}") logger.info(f"Starting Ploughshares v{VERSION}")
bootstrap_database() bootstrap_database()
port = int(os.environ.get('FLASK_RUN_PORT', 5001)) port = int(os.environ.get('FLASK_RUN_PORT', 5001))
app.run(host='0.0.0.0', port=port) host = os.environ.get('FLASK_RUN_HOST', '0.0.0.0')
app.run(host=host, port=port)

18
docker/ploughshares/init_db.py
View File

@ -2,13 +2,19 @@ import psycopg2
import os import os
def init_db(): def init_db():
# Database connection parameters # Database connection parameters (use env vars with sensible defaults)
host = os.environ.get('POSTGRES_HOST', 'db')
port = int(os.environ.get('POSTGRES_PORT', 5432))
dbname = os.environ.get('POSTGRES_DB', 'ploughshares')
user = os.environ.get('POSTGRES_USER', 'ploughshares')
password = os.environ.get('POSTGRES_PASSWORD', 'ploughshares_password')
conn = psycopg2.connect( conn = psycopg2.connect(
host="db", host=host,
port=5432, port=port,
dbname="ploughshares", dbname=dbname,
user="ploughshares", user=user,
password="ploughshares_password" password=password
) )
conn.autocommit = True conn.autocommit = True
cursor = conn.cursor() cursor = conn.cursor()

80
final-report.md
View File

@ -1,80 +0,0 @@
# Ploughshares Application Test and Deployment Report
## Deployment Status
✅ **Application successfully deployed**
- Web application running at http://localhost:5001
- API documentation available at http://localhost:5001/api-docs
- Database connected and healthy
## Test Results
### Functionality Tests
✅ **All tests passed**
- Core imports verified
- API routes verified
### Code Quality Tests
✅ **All tests passed**
- Python syntax valid
- No inappropriate print statements (in files other than app.py)
### Dependency Tests
✅ **All tests passed**
- requirements.txt exists and is valid
- No known vulnerable package versions
## Security Scan Results
### Dependency Vulnerabilities (Safety)
✅ **No vulnerabilities detected in dependencies**
All dependencies have been updated to secure versions:
- Flask: 2.2.2 → 3.1.1
- psycopg2-binary: 2.9.3 → 2.9.9
- requests: 2.28.1 → 2.32.2
- gunicorn: 20.1.0 → 23.0.0
- Werkzeug: 2.3.7 → 3.1.0 (updated from 3.0.6 to resolve dependency conflict)
- Jinja2: 3.1.2 → 3.1.6
- itsdangerous: 2.1.2 → 2.2.0 (updated to resolve dependency conflict)
### Code Security Issues (Bandit)
⚠️ **5 potential security issues detected**
1. **Hardcoded Password String** (Severity: Low, Confidence: Medium)
- Location: app.py:20
- Issue: `app.secret_key = 'supersecretkey'`
- CWE-259: Use of Hard-coded Password
2. **Binding to All Interfaces** (Severity: Medium, Confidence: Medium)
- Location: app.py:220
- Issue: `app.run(host='0.0.0.0', port=port)`
- CWE-605: Multiple Binds to the Same Port
3. **Hardcoded Password in Function Argument** (Severity: Low, Confidence: Medium)
- Location: init_db.py:6-11
- Issue: `password="testpass"` in database connection
- CWE-259: Use of Hard-coded Password
4-5. **Duplicate issues in app_fixed.py** (backup file)
## Recommendations
### Immediate Actions
1. ✅ **Update vulnerable dependencies** - COMPLETED
2. **Replace hardcoded secrets** with environment variables
3. **Restrict network binding** in production environments
### Long-term Improvements
1. Implement **secret management** solution
2. Add **continuous security scanning** in CI/CD pipeline
3. Establish **dependency update policy**
## Next Steps
1. Run `./install-codechecks.sh` to install all required code quality tools
2. Address remaining security findings by:
- Moving secrets to environment variables
- Limiting network binding in production
- Removing hardcoded passwords in test scripts