Skip to content

fix: 替换配置文件中的硬编码凭据为占位符#438

Open
saaa99999999 wants to merge 1 commit into
opsre:mainfrom
saaa99999999:fix/hardcoded-credentials
Open

fix: 替换配置文件中的硬编码凭据为占位符#438
saaa99999999 wants to merge 1 commit into
opsre:mainfrom
saaa99999999:fix/hardcoded-credentials

Conversation

@saaa99999999

@saaa99999999 saaa99999999 commented May 24, 2026

Copy link
Copy Markdown

问题

config.yml 中提交了 4 个硬编码凭据:

1. JWT 签名密钥 (CWE-798)

# 修复前
jwt:
  key: secret key

AuthMiddleware.go:24 使用此密钥签发和验证 JWT token。任何人拿到源码即可伪造任意用户 token,绕过认证中间件。

2. MySQL 密码 (CWE-798)

# 修复前
mysql:
  password: 123456

3. LDAP 管理员密码 (CWE-798)

# 修复前
ldap:
  admin-pass: "123456"

4. LDAP 用户初始密码 (CWE-798)

# 修复前
ldap:
  user-init-password: "123456"

修复

4 个硬编码值已替换为占位符。同时为 JWT 密钥添加了 JWT_KEY 环境变量支持(config.go),与已有的 MySQL/LDAP 环境变量覆盖机制保持一致。

Summary by CodeRabbit

  • New Features

    • 现在支持通过环境变量配置 JWT 密钥。
  • Chores

    • 配置文件中的敏感凭据(数据库密码、JWT 密钥、LDAP 密码等)已更新为占位符,需要管理员在部署时根据实际环境进行配置。

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 24, 2026

Copy link
Copy Markdown

概览

该PR通过将配置文件中的硬编码凭据(MySQL密码、JWT密钥、LDAP密码)替换为占位符,并在初始化代码中添加JWT密钥环境变量支持,增强了配置管理的安全性。

变更清单

配置安全性改进

Layer / File(s) 摘要
配置文件凭据占位符化
config.yml
MySQL数据库密码、JWT服务端密钥、LDAP管理员密码和LDAP用户初始密码从硬编码的示例值(如123456secret key)替换为通用占位符(如your-passwordyour-jwt-key)。
JWT密钥环境变量覆盖
config/config.go
InitConfig()函数中添加JWT_KEY环境变量的读取逻辑,当该环境变量非空时覆盖配置中的JWT密钥值。

🎯 1 (Trivial) | ⏱️ ~3 分钟


🐰 硬编码的秘密现已隐去,

占位符与环境变量随之而来,

配置更安全,部署更灵活,

数据库、JWT、LDAP一路保护! 🔐

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed 标题准确概括了PR的主要变更:将配置文件中的硬编码凭据替换为占位符,简洁明了且具体指出了关键修改。
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/config.go`:
- Around line 92-95: The JWT_KEY environment override is only applied once
during init and gets lost after viper.OnConfigChange re-unmarshals Conf; create
a small helper (e.g., applyEnvOverrides or applyEnvOverridesToConf) that reads
JWT_KEY and sets Conf.Jwt.Key (and any other env overrides) and call that helper
both where jwtKey is currently read and inside the viper.OnConfigChange callback
so environment overrides persist across hot reloads.
- Around line 92-95: 在配置加载并可能用环境变量覆盖后,增加对 Conf.Jwt.Key 的严格校验:如果最终值为空或等于占位符(例如
"your-jwt-key" 或其他默认占位符),应记录明确错误并让进程以失败状态退出(例如使用 processLogger/error +
os.Exit(1) 或 log.Fatalf),以避免使用可预测的 JWT 密钥;检查点放在完成环境变量覆盖后(即在当前 jwtKey
覆盖逻辑之后),明确引用 Conf.Jwt.Key 和 环境变量名 JWT_KEY 以便定位修改位置。
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 33fd7ec3-4883-4570-97f7-1fa01daf4d48

📥 Commits

Reviewing files that changed from the base of the PR and between bb7e12f and d41e1f7.

📒 Files selected for processing (2)
  • config.yml
  • config/config.go

Comment thread config/config.go
Comment on lines +92 to +95
jwtKey := os.Getenv("JWT_KEY")
if jwtKey != "" {
Conf.Jwt.Key = jwtKey
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

热更新路径会丢失 JWT_KEY 覆盖值

当前 JWT_KEY 只在初始化阶段应用一次;viper.OnConfigChange 触发后会重新 Unmarshal 配置并覆盖 Conf.Jwt.Key,导致环境变量覆盖失效。建议把“环境变量覆盖”提取为统一函数,并在初始化与热更新回调中都调用一次。

建议修复(示例)
 func InitConfig() {
@@
 	viper.OnConfigChange(func(e fsnotify.Event) {
 		if err := viper.Unmarshal(Conf); err != nil {
 			panic(fmt.Errorf("初始化配置文件失败:%s", err))
 		}
 		normalizeConfig()
+		applyEnvOverrides()
 		Conf.System.RSAPublicBytes = pub
 		Conf.System.RSAPrivateBytes = priv
 	})
@@
 	if err := viper.Unmarshal(Conf); err != nil {
 		panic(fmt.Errorf("初始化配置文件失败:%s", err))
 	}
 	normalizeConfig()
+	applyEnvOverrides()
@@
-	// 部分配合通过环境变量加载
-	dbDriver := os.Getenv("DB_DRIVER")
-	...
+}
+
+func applyEnvOverrides() {
+	// 将 InitConfig 里现有的 DB/MYSQL/JWT/LDAP 环境变量覆盖逻辑整体迁移到这里复用
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/config.go` around lines 92 - 95, The JWT_KEY environment override is
only applied once during init and gets lost after viper.OnConfigChange
re-unmarshals Conf; create a small helper (e.g., applyEnvOverrides or
applyEnvOverridesToConf) that reads JWT_KEY and sets Conf.Jwt.Key (and any other
env overrides) and call that helper both where jwtKey is currently read and
inside the viper.OnConfigChange callback so environment overrides persist across
hot reloads.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

缺少对占位符/空 JWT 密钥的启动校验

即使新增了 JWT_KEY 覆盖,未设置环境变量时仍会接受 config.yml 中的占位符密钥(your-jwt-key)。这会让服务在可预测密钥下签发/校验 token,存在认证绕过风险。建议在配置加载完成后做强校验并失败启动。

建议修复(示例)
 import (
 	_ "embed"
 	"fmt"
 	"os"
 	"strconv"
+	"strings"
@@
 	jwtKey := os.Getenv("JWT_KEY")
 	if jwtKey != "" {
 		Conf.Jwt.Key = jwtKey
 	}
+	if key := strings.TrimSpace(Conf.Jwt.Key); key == "" || key == "your-jwt-key" {
+		panic("jwt.key 未正确配置,请通过 config.yml 或 JWT_KEY 设置强随机密钥")
+	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/config.go` around lines 92 - 95, 在配置加载并可能用环境变量覆盖后,增加对 Conf.Jwt.Key
的严格校验:如果最终值为空或等于占位符(例如 "your-jwt-key" 或其他默认占位符),应记录明确错误并让进程以失败状态退出(例如使用
processLogger/error + os.Exit(1) 或 log.Fatalf),以避免使用可预测的 JWT
密钥;检查点放在完成环境变量覆盖后(即在当前 jwtKey 覆盖逻辑之后),明确引用 Conf.Jwt.Key 和 环境变量名 JWT_KEY
以便定位修改位置。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant