๐ก๏ธ Sentinel: [CRITICAL] Fix hardcoded admin password vulnerability#23
๐ก๏ธ Sentinel: [CRITICAL] Fix hardcoded admin password vulnerability#23seonghobae wants to merge 4 commits into
Conversation
Removed hardcoded `ADMIN_PASSWORD` from `admin-auth.ts` and migrated it to be strictly managed via environment variables to prevent accidental leaks. Updated validation schema, `.env.example`, and CI pipelines to support this change.
|
๐ Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a ๐ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
Warning Review limit reached
More reviews will be available in 17 minutes and 45 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. โ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. ๐ฆ How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. โน๏ธ Review infoโ๏ธ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ๐ Files selected for processing (1)
๐ Walkthrough๊ฐ์ํ๋์ฝ๋ฉ๋ ๊ด๋ฆฌ์ ๋น๋ฐ๋ฒํธ๋ฅผ ํ๊ฒฝ๋ณ์๋ก ์ด๊ดํ๊ณ Zod ์คํค๋ง๋ฅผ ํตํด ๊ฒ์ฆํ๋๋ก ๊ฐ์ ํฉ๋๋ค. ์ค์ ํ์ผ๊ณผ CI ์ํฌํ๋ก์ฐ๋ฅผ ํจ๊ป ์ ๋ฐ์ดํธํ์ฌ ์ผ๊ด๋ ํ๊ฒฝ๋ณ์ ๊ด๋ฆฌ๋ฅผ ๊ตฌํํฉ๋๋ค. ๋ณ๊ฒฝ์ฌํญ๊ด๋ฆฌ์ ๋น๋ฐ๋ฒํธ ํ๊ฒฝ๋ณ์ ๋ง์ด๊ทธ๋ ์ด์
๐ฏ 2 (Simple) | โฑ๏ธ ~8๋ถ
Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
โ Failed checks (1 error)
โ Passed checks (4 passed)
โจ Finishing Touches๐งช Generate unit tests (beta)
โจ Simplify code
Warning Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and canโt be posted inline due to platform limitations.
โ ๏ธ Outside diff range comments (1)
packages/web/src/lib/server/env.ts (1)
1-11:โ ๏ธ Potential issue | ๐ Major | โก Quick win๋ณด์ ๊ฒฝ๊ณ ๊ฐํ๋ฅผ ์ํด
packages/web/src/lib/server/env.ts์import 'server-only'์ถ๊ฐ
env.ts๊ฐprocess.env์์ ์ํฌ๋ฆฟ์ ํ์ฑํด exportํ์ง๋งserver-only๊ฐ๋๊ฐ ์์ด, ์ค์๋ก ํด๋ผ์ด์ธํธ ๋ฒ๋ค๋ก ์ ํ๋ ์ฌ์ง๊ฐ ์์ต๋๋ค.server-only๋ฅผ ํ์ผ ์ต์๋จ์ ์ถ๊ฐํ๋ฉด Next.js์์ Client Component(๋๋ ํธ๋์งํฐ๋ธ import)๊ฐ ํด๋น ๋ชจ๋์ ๊ฐ์ ธ์ค๋ ค ํ ๋ ๋น๋ ๋จ๊ณ์์ ์ฐจ๋จ๋์ด ๋ ์์ ํฉ๋๋ค.๐ ์ ์ ์์ ์
+import 'server-only' import { z } from 'zod'๐ค Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/web/src/lib/server/env.ts` around lines 1 - 11, Add the Next.js server-only guard to this module so it cannot be accidentally bundled to the client: at the top of packages/web/src/lib/server/env.ts import 'server-only' before any other code, then keep the existing EnvSchema and export const env = EnvSchema.parse(process.env) as-is; this ensures the module (and its secrets parsed by EnvSchema/env) will be rejected from client components or transitive client imports.
๐ค Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@packages/web/src/lib/server/env.ts`:
- Around line 1-11: Add the Next.js server-only guard to this module so it
cannot be accidentally bundled to the client: at the top of
packages/web/src/lib/server/env.ts import 'server-only' before any other code,
then keep the existing EnvSchema and export const env =
EnvSchema.parse(process.env) as-is; this ensures the module (and its secrets
parsed by EnvSchema/env) will be rejected from client components or transitive
client imports.
โน๏ธ Review info
โ๏ธ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: beb0d081-35cb-4938-8482-e709aa35414c
๐ Files selected for processing (5)
.github/workflows/ci.yml.jules/sentinel.mdpackages/web/.env.examplepackages/web/src/lib/server/admin-auth.tspackages/web/src/lib/server/env.ts
Removed hardcoded `ADMIN_PASSWORD` from `admin-auth.ts` and migrated it to be strictly managed via environment variables to prevent accidental leaks. Updated validation schema, `.env.example`, and CI pipelines to support this change.
โฆed HMAC keys Modified `safeEqual` in `admin-auth.ts` to first pre-hash the password inputs before using them as HMAC keys. This securely prevents HMAC key padding collisions while correctly maintaining a timing-safe equality check and satisfying CodeQL's secret tracking requirements.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Refactored `verifyAdminCredentials` to compute a `pbkdf2Sync` hash of the targets at module initialization. By avoiding plain hashing algorithms (like sha256) and using a proper key derivation function, CodeQL is satisfied. Pre-computing the target hashes ensures the single-threaded Node.js event loop isn't overly blocked during each request, balancing security requirements with DoS prevention.
|
์ด ๋ณ๊ฒฝ์ upstream vibemafiaclub/argos#19๋ก ์ด๋ฏธ ๋ฐ์๋ hardcoded admin credential ์ ๊ฑฐ์ ์ค๋ณต์ ๋๋ค. ์ต์ upstream/main ๊ธฐ์ค 26๊ฐ ํ์ผ์ stale diff์ .jules ๋ด๋ถ ํ์ผ์ ํฌํจํ๊ณ , ๋ณด์/CI ๋ณ๊ฒฝ์ ๋๋๋ฆด ์ํ์ด ์์ด ๋ซ์ต๋๋ค. |
Understood. Acknowledging that this work is a duplicate of upstream and the PR is now closed. Stopping work on this task. |
2 participants
๐จ Severity: CRITICAL
๐ก Vulnerability: A hardcoded admin password was found embedded in the source code (
packages/web/src/lib/server/admin-auth.ts), which is a major security flaw allowing attackers to bypass authentication.๐ฏ Impact: Attackers who have access to the repository, its historical commits, or derived client/server bundles could potentially extract the hardcoded password and impersonate administrative capabilities.
๐ง Fix: Removed the hardcoded value and introduced
ADMIN_PASSWORDinto the environment variable Zod schema (env.ts).verifyAdminCredentialsnow verifies againstenv.ADMIN_PASSWORD. Updated.env.exampleand CI workflow configurations.โ Verification: Ensure the
.envfile has anADMIN_PASSWORDdefined, then runpnpm --filter @argos/web build. The CI should pass successfully and attempting to login without the newly setADMIN_PASSWORDshould reject authorization.PR created automatically by Jules for task 13080653383541791497 started by @seonghobae