Security Vulnerability
The Django SECRET_KEY is hardcoded in the source file at api/leaderboard/settings.py:26.
Problem
# api/leaderboard/settings.py:26
SECRET_KEY='django-insecure-9t7y48qz6k+7$5y^v6m+e1wz3q8r9t0y1u2i3o4p5a6s7d8f9g0h'
Anyone with read access to this repository can use this key to:
- Forge valid JWT tokens and escalate privileges
- Manipulate Django session cookies
- Bypass CSRF protection
- Execute arbitrary code if debug mode is somehow enabled
Steps to Reproduce
- Clone the repository
- Open
api/leaderboard/settings.py
- Observe
SECRET_KEY is a plaintext string hardcoded on line 26
Proposed Fix
# Replace with environment variable
import os
SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')
if not SECRET_KEY:
raise ImproperlyConfigured("DJANGO_SECRET_KEY environment variable is not set")Generate a secure key with python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())" and set it in your deployment environment.
Also verify .gitignore includes .env or any env file containing secrets.
Severity
CRITICAL — This compromises the entire application's cryptographic security. Even if the repo is private, any collaborator compromise exposes all deployments.
Security Vulnerability
The Django SECRET_KEY is hardcoded in the source file at
api/leaderboard/settings.py:26.Problem
Anyone with read access to this repository can use this key to:
Steps to Reproduce
api/leaderboard/settings.pySECRET_KEYis a plaintext string hardcoded on line 26Proposed Fix
Generate a secure key with
python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"and set it in your deployment environment.Also verify
.gitignoreincludes.envor any env file containing secrets.Severity
CRITICAL — This compromises the entire application's cryptographic security. Even if the repo is private, any collaborator compromise exposes all deployments.