Skip to content

Security: Replace hardcoded secret keys in example config (CWE-798)#233

Open
saaa99999999 wants to merge 375 commits into
bufanyun:mainfrom
saaa99999999:fix/hardcoded-secrets
Open

Security: Replace hardcoded secret keys in example config (CWE-798)#233
saaa99999999 wants to merge 375 commits into
bufanyun:mainfrom
saaa99999999:fix/hardcoded-secrets

Conversation

@saaa99999999
Copy link
Copy Markdown

@saaa99999999 saaa99999999 commented May 26, 2026
edited by bufanyun
Loading

Summary

Replace 3 hardcoded secret keys in the example configuration file (server/manifest/config/config.example.yaml).

Anyone who knows these default secrets can:

  • Forge valid JWT tokens (line 184, key hotgo123)
  • Access internal TCP cron service (line 84, key hotgo)
  • Access internal TCP auth service (line 91, key 123456)

Changes

  • server/manifest/config/config.example.yaml:84 — Replaced secretKey: "hotgo" with empty placeholder
  • server/manifest/config/config.example.yaml:91 — Replaced secretKey: "123456" with empty placeholder
  • server/manifest/config/config.example.yaml:184 — Replaced secretKey: "hotgo123" with empty placeholder

Test plan

  • JWT authentication works with a properly configured token.secretKey
  • TCP services work with properly configured secretKey values

bufanyun and others added 30 commits June 16, 2023 19:58
@bufanyun
优化响应中间件,自动识别响应数据格式
9b89402
@bufanyun
优化hgorm.dao方法
aff0ff3
@maxbad
Merge pull request bufanyun#31 from bufanyun/v2.0
8be4110 
更新
@bufanyun
发布v2.7.6版本
773f26b
@maxbad
Merge pull request bufanyun#32 from bufanyun/v2.0
ba60fc2 
发布v2.7.6版本
@bufanyun
修复字典选项和公告提示加载异常,优化tcp和websocket消息处理
4a06a89
@maxbad
Merge pull request bufanyun#33 from bufanyun/v2.0
89dc741 
修复字典选项和公告提示加载异常,优化tcp和websocket消息处理
@bufanyun
优化菜单、省市区树结构排序,修复部门搜索空指针问题
cc3ab9a
@maxbad
Merge pull request bufanyun#34 from bufanyun/v2.0
c1ba775 
优化菜单、省市区树结构排序,修复部门搜索空指针问题
@bufanyun
完善文档
9113fc5
@maxbad
Merge pull request bufanyun#35 from bufanyun/v2.0
9874312 
完善文档
@maxbad
Update notice.go
b66be91 
顶部消息获取
@bufanyun
Merge pull request bufanyun#38 from maxbad/v2.0
67bf2e9 
FIX:顶部消息获取不到列表
@maxbad
Merge pull request bufanyun#36 from bufanyun/v2.0
8e2a849 
Merge pull request bufanyun#38 from maxbad/v2.0
@bufanyun
发布v2.8.4版本,更新内容请查看:https://github.com/bufanyun/hotgo/tree/v2.0/docs/g…
373d962 
…uide-zh-CN/addon-version-upgrade.md
@bufanyun
Merge branch 'v2.0' of https://github.com/bufanyun/hotgo into v2.0
47ecaf4
@bufanyun
发布v2.8.7版本,更新内容请查看:https://github.com/bufanyun/hotgo/tree/v2.0/docs/g…
874f3c1 
…uide-zh-CN/addon-version-upgrade.md
@bufanyun
发布v2.8.4版本,更新内容请查看:https://github.com/bufanyun/hotgo/blob/v2.0/docs/g…
071b622 
…uide-zh-CN/start-update-log.md
@bufanyun
golangci-lint run
996ed81
@maxbad
Merge pull request bufanyun#37 from bufanyun/v2.0
a700b3b 
v2.8.4
@bufanyun
增加集群部署支持,修复定时任务分组添加后选项不显示
12bf36c
@bufanyun
默认配置
471f069
@maxbad
Merge pull request bufanyun#38 from bufanyun/v2.0
755e95b 
增加集群部署支持,修复定时任务分组添加后选项不显示
@bufanyun
消息订阅增加多个消息支持,优化文件选择器清空操作,添加后台用户时增加角色部门验证
465e48d
@maxbad
Merge pull request bufanyun#39 from bufanyun/v2.0
31ec404 
消息订阅增加多个消息支持,优化文件选择器清空操作,添加后台用户时增加角色部门验证
@bufanyun
修复部权限更新sql错误,修复后台用户时增加角色部门验证
e941e52
@maxbad
Merge pull request bufanyun#40 from bufanyun/v2.0
c95d4d8 
修复部权限更新sql错误,修复后台用户时增加角色部门验证
@bufanyun
用户操作权限增加角色权限过滤,优化角色/部门关系树生成,修复验证码空参数不验证问题
3df5236
@maxbad
Merge pull request bufanyun#41 from bufanyun/v2.0
b723e76 
用户操作权限增加角色权限过滤,优化角色/部门关系树生成,修复验证码空参数不验证问题
@bufanyun
优化服务监控定时器,移除notify功能包
90d09de
wangle201210 and others added 30 commits September 11, 2025 00:16
@wangle201210
fix model.ts
e3eb4bd
@wangle201210
添加yaml字段类型
a98a25e
bug修复
776307e 
本地 64 位 int → 安全;线上 32 位 int → 溢出 → panic
exception recovered: runtime error: index out of range [-2]
@osindex
🎨 去除mysql硬编码 方便切换pgsql
edb673e
@yemangran
Update CreateDrawer.vue
31f8102
@yemangran
Update CreateDrawer.vue
f2454ce
@yemangran
Update menu.go
58213e8 
修复新增按钮类型的菜单到hg_admin_menu时,component空串被清空导致新增失败
@yemangran
Merge pull request bufanyun#1 from yemangran/yemangran-patch-1
334f9a7 
Update menu.go
@bufanyun
Merge pull request bufanyun#196 from wangle201210/fix/model
0f6f742 
fix model.ts
@bufanyun
Merge pull request bufanyun#197 from wangle201210/feat/yaml
f85d21a 
添加yaml字段类型
@bufanyun
Merge pull request bufanyun#198 from zhangshican/v2.0
36ddd09 
bug修复
@bufanyun
Merge pull request bufanyun#199 from osindex/develop
4b0f506 
🎨 去除mysql硬编码 方便切换pgsql
@bufanyun
Merge pull request bufanyun#203 from yemangran/yemangran-patch
5fa7b47 
修复字典管理页面新增时表单检验
@bufanyun
Merge pull request bufanyun#204 from yemangran/v2.0
e8c94f1 
修复新增按钮类型的菜单到hg_admin_menu时,component空串被清空导致新增失败
@youluo1230
fix(admin):修复消息查询
70076c9
@bufanyun
Merge pull request bufanyun#205 from youluo1230/v2.0
5ebc33f 
fix(admin):修复消息查询
@bufanyun
发布v2.18.6版本,更新内容请查看:https://github.com/bufanyun/hotgo/blob/v2.0/docs/…
7313d22 
…guide-zh-CN/start-update-log.md
@0x76long
修复因大小写导致找不到表主键的问题
c94184a
@bufanyun
Merge pull request bufanyun#211 from 0x76long/0x76long-patch-1
3989996 
修复因大小写导致找不到表主键的问题
@bufanyun
feat 调整 mysql 、pgsql 初始化数据; 完善pgsql 兼容性,适配代码生成逻辑
a7234bc
@bufanyun
fix 修复生成代码 pgsql 菜单权限生成和个别数据类型生成错误,vue 方法导入改为自动导入
b58643c
@wangle201210
fix pprof
3165451
@bufanyun
Merge pull request bufanyun#220 from wangle201210/v2.0
5618ed3 
fix pprof
@xiaohe4966
安装说明更新
56db503 
修改配置文件名和详细的mysql连接说明
@bufanyun
Merge pull request bufanyun#224 from xiaohe4966/v2.0
39f21ce 
安装说明更新
@pengchanglu
修改多选下拉框生成前端报错问题和列表标签不显示问题
42eb736
@bufanyun
Merge pull request bufanyun#230 from pengchanglu/v2.0
5ba53bc 
Fix the issues of front-end errors generated by the multi-choice dropdown box and the non-display of list tags
@bufanyun
发布v2.18.9版本,更新内容请查看:https://github.com/bufanyun/hotgo/blob/v2.0/docs/…
8fccdc8 
…guide-zh-CN/start-update-log.md
@bufanyun
add 更新日志
c6191f7
@saaa99999999
Security: Replace hardcoded secret keys in example config (CWE-798)
dd9b278 
Default secret keys "hotgo", "123456", and "hotgo123" were exposed in
the example configuration for TCP client auth and JWT token signing.
Users deploying from this template could have their tokens forged and
internal TCP services accessed by anyone who knows these default keys.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.