diff --git a/.github/.keep b/.github/.keep new file mode 100644 index 0000000..e69de29 diff --git a/breakout-exercises/code_review_exercise.md b/breakout-exercises/code_review_exercise.md index bc31b44..d9f338b 100644 --- a/breakout-exercises/code_review_exercise.md +++ b/breakout-exercises/code_review_exercise.md @@ -16,7 +16,9 @@ import requests import sqlite3 import hashlib +# API key exposed - recommended to place in `.env` file and use `.gitignore` API_KEY = "sk-live-1234567890abcdef" +# Password exposed in URL - again use .env file DATABASE_URL = "postgresql://admin:password123@localhost/prod" DEBUG_MODE = True @@ -26,6 +28,7 @@ def authenticate_user(username, password): result = conn.execute(query).fetchone() + # Username and password printed - Please use encryption such as bycrypt to avoid exposing usernames and passwords print(f"Login attempt: {username}:{password}") response = requests.post("https://api.auth.com/verify", @@ -35,6 +38,7 @@ def authenticate_user(username, password): def reset_password(user_id, new_password): conn = sqlite3.connect("users.db") + # allows anyone to change password query = f"UPDATE users SET password='{new_password}' WHERE id={user_id}" conn.execute(query) conn.commit() diff --git a/starter-code-simple/.gitignore b/starter-code-simple/.gitignore new file mode 100644 index 0000000..be19be2 --- /dev/null +++ b/starter-code-simple/.gitignore @@ -0,0 +1,7 @@ +# Ignore virtual environment, database, compiled files, and sensitive config + +.venv/ +__pycache__/ +*.pyc +users.db +.env \ No newline at end of file diff --git a/starter-code-simple/app.py b/starter-code-simple/app.py index 3d01862..ab3924f 100644 --- a/starter-code-simple/app.py +++ b/starter-code-simple/app.py @@ -1,22 +1,46 @@ # Simple Python API - Starting Point for GitHub Classroom Assignment # This code has intentional security flaws for educational purposes +# import os added to read .env variables in app rather than hardcoding sensitive data +import os +from dotenv import load_dotenv from flask import Flask, request, jsonify import sqlite3 import hashlib +# This reads from the .env file +load_dotenv() + app = Flask(__name__) -# Security Issue: Hardcoded secrets -DATABASE_URL = "postgresql://admin:password123@localhost/prod" -API_SECRET = "sk-live-1234567890abcdef" +# Hardcoded sensitive data presents a security issue +# Resolved by setting `os.getenv` to read from environment +DATABASE_URL = os.getenv("DATABASE_URL") +API_SECRET = os.getenv("API_SECRET") +DATABASE_PATH = os.getenv("DATABASE_PATH", "users.db") def get_db_connection(): return sqlite3.connect('users.db') @app.route('/health') def health_check(): - return jsonify({"status": "healthy", "database": DATABASE_URL}) + # Health check exposed DB URl, which included sensitive password + # Changed health check so it only checks if the app is running and the DB is connected + try: + # Try to connect to the database using path defined in .env + conn = sqlite3.connect(DATABASE_PATH) + + # Run a query ("SELECT 1") to verify the DB is responsive + conn.execute("SELECT 1") + + # Close the connection to avoid leaks + conn.close() + + # If no errors, return a simple OK response + return jsonify({"status": "ok", "db_ok": True}) + except Exception: + # If anything fails return degraded status and a 503 Service Unavailable + return jsonify({"status": "degraded", "db_ok": False}), 503 @app.route('/users', methods=['GET']) def get_users():