fix: 替换配置文件中的硬编码凭据为占位符#438
Conversation
…th placeholder values
概览该PR通过将配置文件中的硬编码凭据(MySQL密码、JWT密钥、LDAP密码)替换为占位符,并在初始化代码中添加JWT密钥环境变量支持,增强了配置管理的安全性。 变更清单配置安全性改进
🎯 1 (Trivial) | ⏱️ ~3 分钟
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@config/config.go`:
- Around line 92-95: The JWT_KEY environment override is only applied once
during init and gets lost after viper.OnConfigChange re-unmarshals Conf; create
a small helper (e.g., applyEnvOverrides or applyEnvOverridesToConf) that reads
JWT_KEY and sets Conf.Jwt.Key (and any other env overrides) and call that helper
both where jwtKey is currently read and inside the viper.OnConfigChange callback
so environment overrides persist across hot reloads.
- Around line 92-95: 在配置加载并可能用环境变量覆盖后,增加对 Conf.Jwt.Key 的严格校验:如果最终值为空或等于占位符(例如
"your-jwt-key" 或其他默认占位符),应记录明确错误并让进程以失败状态退出(例如使用 processLogger/error +
os.Exit(1) 或 log.Fatalf),以避免使用可预测的 JWT 密钥;检查点放在完成环境变量覆盖后(即在当前 jwtKey
覆盖逻辑之后),明确引用 Conf.Jwt.Key 和 环境变量名 JWT_KEY 以便定位修改位置。
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 33fd7ec3-4883-4570-97f7-1fa01daf4d48
📒 Files selected for processing (2)
config.ymlconfig/config.go
| jwtKey := os.Getenv("JWT_KEY") | ||
| if jwtKey != "" { | ||
| Conf.Jwt.Key = jwtKey | ||
| } |
There was a problem hiding this comment.
热更新路径会丢失 JWT_KEY 覆盖值
当前 JWT_KEY 只在初始化阶段应用一次;viper.OnConfigChange 触发后会重新 Unmarshal 配置并覆盖 Conf.Jwt.Key,导致环境变量覆盖失效。建议把“环境变量覆盖”提取为统一函数,并在初始化与热更新回调中都调用一次。
建议修复(示例)
func InitConfig() {
@@
viper.OnConfigChange(func(e fsnotify.Event) {
if err := viper.Unmarshal(Conf); err != nil {
panic(fmt.Errorf("初始化配置文件失败:%s", err))
}
normalizeConfig()
+ applyEnvOverrides()
Conf.System.RSAPublicBytes = pub
Conf.System.RSAPrivateBytes = priv
})
@@
if err := viper.Unmarshal(Conf); err != nil {
panic(fmt.Errorf("初始化配置文件失败:%s", err))
}
normalizeConfig()
+ applyEnvOverrides()
@@
- // 部分配合通过环境变量加载
- dbDriver := os.Getenv("DB_DRIVER")
- ...
+}
+
+func applyEnvOverrides() {
+ // 将 InitConfig 里现有的 DB/MYSQL/JWT/LDAP 环境变量覆盖逻辑整体迁移到这里复用
}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@config/config.go` around lines 92 - 95, The JWT_KEY environment override is
only applied once during init and gets lost after viper.OnConfigChange
re-unmarshals Conf; create a small helper (e.g., applyEnvOverrides or
applyEnvOverridesToConf) that reads JWT_KEY and sets Conf.Jwt.Key (and any other
env overrides) and call that helper both where jwtKey is currently read and
inside the viper.OnConfigChange callback so environment overrides persist across
hot reloads.
缺少对占位符/空 JWT 密钥的启动校验
即使新增了 JWT_KEY 覆盖,未设置环境变量时仍会接受 config.yml 中的占位符密钥(your-jwt-key)。这会让服务在可预测密钥下签发/校验 token,存在认证绕过风险。建议在配置加载完成后做强校验并失败启动。
建议修复(示例)
import (
_ "embed"
"fmt"
"os"
"strconv"
+ "strings"
@@
jwtKey := os.Getenv("JWT_KEY")
if jwtKey != "" {
Conf.Jwt.Key = jwtKey
}
+ if key := strings.TrimSpace(Conf.Jwt.Key); key == "" || key == "your-jwt-key" {
+ panic("jwt.key 未正确配置,请通过 config.yml 或 JWT_KEY 设置强随机密钥")
+ }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@config/config.go` around lines 92 - 95, 在配置加载并可能用环境变量覆盖后,增加对 Conf.Jwt.Key
的严格校验:如果最终值为空或等于占位符(例如 "your-jwt-key" 或其他默认占位符),应记录明确错误并让进程以失败状态退出(例如使用
processLogger/error + os.Exit(1) 或 log.Fatalf),以避免使用可预测的 JWT
密钥;检查点放在完成环境变量覆盖后(即在当前 jwtKey 覆盖逻辑之后),明确引用 Conf.Jwt.Key 和 环境变量名 JWT_KEY
以便定位修改位置。
问题
config.yml 中提交了 4 个硬编码凭据:
1. JWT 签名密钥 (CWE-798)
AuthMiddleware.go:24 使用此密钥签发和验证 JWT token。任何人拿到源码即可伪造任意用户 token,绕过认证中间件。
2. MySQL 密码 (CWE-798)
3. LDAP 管理员密码 (CWE-798)
4. LDAP 用户初始密码 (CWE-798)
修复
4 个硬编码值已替换为占位符。同时为 JWT 密钥添加了
JWT_KEY环境变量支持(config.go),与已有的 MySQL/LDAP 环境变量覆盖机制保持一致。Summary by CodeRabbit
New Features
Chores