From 46943a80232d900cb0e18d83310b1515c4808967 Mon Sep 17 00:00:00 2001 From: Nguyen Van Nam Date: Mon, 30 Mar 2026 07:02:42 +0700 Subject: [PATCH] fix(security): hardcoded default database credentials in production config The config includes usable default credentials (`DB_USER='warranty_user'`, `DB_PASSWORD='warranty_password'`, `DB_ADMIN_USER='warracker_admin'`, `DB_ADMIN_PASSWORD='change_this_password_in_production'`). In real deployments, missing env vars will silently activate these predictable credentials, allowing unauthorized DB access if the database is reachable. Affected files: config.py Signed-off-by: Nguyen Van Nam --- backend/config.py | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/backend/config.py b/backend/config.py index 226e095..5b6f911 100644 --- a/backend/config.py +++ b/backend/config.py @@ -38,10 +38,10 @@ def _check_secret_key(): # Database Configuration DB_HOST = os.environ.get('DB_HOST', 'warrackerdb') DB_NAME = os.environ.get('DB_NAME', 'warranty_db') - DB_USER = os.environ.get('DB_USER', 'warranty_user') - DB_PASSWORD = os.environ.get('DB_PASSWORD', 'warranty_password') - DB_ADMIN_USER = os.environ.get('DB_ADMIN_USER', 'warracker_admin') - DB_ADMIN_PASSWORD = os.environ.get('DB_ADMIN_PASSWORD', 'change_this_password_in_production') + DB_USER = os.environ.get('DB_USER') + DB_PASSWORD = os.environ.get('DB_PASSWORD') + DB_ADMIN_USER = os.environ.get('DB_ADMIN_USER') + DB_ADMIN_PASSWORD = os.environ.get('DB_ADMIN_PASSWORD') # File Upload Configuration UPLOAD_FOLDER = os.environ.get('UPLOAD_FOLDER', '/data/uploads') @@ -118,6 +118,13 @@ class ProductionConfig(Config): @staticmethod def init_app(app): + missing_db_vars = [ + var for var in ('DB_USER', 'DB_PASSWORD', 'DB_ADMIN_USER', 'DB_ADMIN_PASSWORD') + if not app.config.get(var) + ] + if missing_db_vars: + raise RuntimeError(f"Missing required database environment variables: {', '.join(missing_db_vars)}") + Config.init_app(app) logger.info("Production configuration loaded")