fix: reject empty database passwords in validator

seapagan · seapagan · commit ea8f1fa79678 · 2026-04-18T09:51:20.000+01:00
Empty or whitespace-only DB_PASSWORD and TEST_DB_PASSWORD values
previously bypassed the weak-password check, reaching the DSN
builder. Fail fast with a clear security error instead.

Signed-off-by: Grant Ramsay &lt;seapagan@gmail.com&gt;
diff --git a/app/config/settings.py b/app/config/settings.py
@@ -259,6 +259,19 @@ def validate_db_password(
     ) -> SecretStr:
         """Ensure database password is not a weak or default value."""
         raw_value = unwrap_secret(value)
+        field_name = (info.field_name or "db_password").upper()
+        if not raw_value.strip():
+            msg = (
+                "\n"
+                "=" * 70 + "\n"
+                f"SECURITY ERROR: {field_name} must not be empty!\n"
+                "=" * 70 + "\n"
+                "Set a strong database password via environment, .env, "
+                "or secrets dir:\n"
+                f"  {field_name}=your_secure_password_here\n"
+                "=" * 70
+            )
+            raise ValueError(msg)
         weak_passwords = [
             "CHANGE_ME_IN_ENV_FILE",
             "Sup3rS3cr3tP455w0rd",
@@ -267,7 +280,6 @@ def validate_db_password(
             "admin",
         ]
         if raw_value in weak_passwords:
-            field_name = (info.field_name or "db_password").upper()
             msg = (
                 "\n"
                 "=" * 70 + "\n"
diff --git a/tests/unit/test_validation.py b/tests/unit/test_validation.py
@@ -170,6 +170,43 @@ def test_weak_test_db_password_rejected(self, monkeypatch) -> None:
         ):
             Settings()
 
+    def test_empty_db_password_rejected(self, monkeypatch) -> None:
+        """Test that an empty DB_PASSWORD is rejected."""
+        monkeypatch.setenv("DB_USER", "testuser")
+        monkeypatch.setenv("SECRET_KEY", "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6")
+        monkeypatch.setenv("DB_PASSWORD", "")
+
+        with pytest.raises(
+            ValueError,
+            match=r"SECURITY ERROR: DB_PASSWORD must not be empty!",
+        ):
+            Settings()
+
+    def test_whitespace_db_password_rejected(self, monkeypatch) -> None:
+        """Test that a whitespace-only DB_PASSWORD is rejected."""
+        monkeypatch.setenv("DB_USER", "testuser")
+        monkeypatch.setenv("SECRET_KEY", "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6")
+        monkeypatch.setenv("DB_PASSWORD", "   ")
+
+        with pytest.raises(
+            ValueError,
+            match=r"SECURITY ERROR: DB_PASSWORD must not be empty!",
+        ):
+            Settings()
+
+    def test_empty_test_db_password_rejected(self, monkeypatch) -> None:
+        """Test that an empty TEST_DB_PASSWORD is rejected."""
+        monkeypatch.setenv("DB_USER", "testuser")
+        monkeypatch.setenv("SECRET_KEY", "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6")
+        monkeypatch.setenv("DB_PASSWORD", "ValidPassword123!")
+        monkeypatch.setenv("TEST_DB_PASSWORD", "")
+
+        with pytest.raises(
+            ValueError,
+            match=(r"SECURITY ERROR: TEST_DB_PASSWORD must not be empty!"),
+        ):
+            Settings()
+
 
 class TestDbUserValidator:
     """Test the DB_USER validator."""
