fix: Patch security update from latest CVS

Author: zeroc0d3

.env.example

@@ -58,7 +58,8 @@ TELEMETRYFLOW_SERVICE_NAME=my-service
 TELEMETRYFLOW_SERVICE_VERSION=1.2.0
 TELEMETRYFLOW_SERVICE_NAMESPACE=telemetryflow
 TELEMETRYFLOW_ENVIRONMENT=development
-TELEMETRYFLOW_INSECURE=true
+# SECURITY WARNING: TELEMETRYFLOW_INSECURE=true disables TLS — ONLY for development
+TELEMETRYFLOW_INSECURE=false
 
 
 #================================================================================================
@@ -176,14 +177,14 @@ TFO_PLATFORM_VERSION=1.4.0
 POSTGRES_VERSION=16-alpine
 POSTGRES_DB=telemetryflow_db
 POSTGRES_USERNAME=tfo_admin
-POSTGRES_PASSWORD=telemetryflow123
+POSTGRES_PASSWORD=
 PORT_POSTGRES=5432
 
 # ClickHouse
 CLICKHOUSE_VERSION=latest
 CLICKHOUSE_DB=telemetryflow_db
 CLICKHOUSE_USER=tfo_admin
-CLICKHOUSE_PASSWORD=telemetryflow123
+CLICKHOUSE_PASSWORD=
 PORT_CLICKHOUSE_HTTP=8123
 PORT_CLICKHOUSE_NATIVE=9000
 
@@ -204,10 +205,10 @@ PORT_NATS_MONITOR=8222
 NODE_ENV=development
 PORT_BACKEND=3000
 ENABLE_BULLMQ=true
-JWT_SECRET=dev-secret-change-me-in-production
+JWT_SECRET=
 JWT_EXPIRES_IN=24h
-SESSION_SECRET=dev-session-secret-change-me
-CORS_ORIGIN=*
+SESSION_SECRET=
+CORS_ORIGIN=http://localhost:8080
 LOGGER_TYPE=winston
 LOG_PRETTY_PRINT=false
 OTEL_SERVICE_NAME=telemetryflow-platform
@@ -307,8 +308,8 @@ DB_PASSWORD=
 #================================================================================================
 # [20] SECURITY (for RESTful API generator)
 #================================================================================================
-SECRET_KEY=change-me-in-production
-JWT_SECRET_KEY=change-me-in-production
+SECRET_KEY=
+JWT_SECRET_KEY=
 JWT_EXPIRES=3600
 
 

.github/workflows/docker.yml

@@ -179,37 +179,50 @@ jobs:
           # =============================================================================
           # TelemetryFlow Python SDK - Multi-stage Dockerfile
           # =============================================================================
-          FROM python:3.12-slim AS builder
+          FROM python:3.14-slim AS builder
 
           ARG VERSION=dev
           ARG GIT_COMMIT=unknown
           ARG BUILD_TIME=unknown
 
           WORKDIR /build
 
-          # Install build dependencies
-          RUN apt-get update && apt-get install -y --no-install-recommends \
+          # Install build dependencies and upgrade system packages to fix CVEs
+          RUN apt-get update && \
+              apt-get upgrade -y && \
+              apt-get install -y --no-install-recommends \
               git \
               && rm -rf /var/lib/apt/lists/*
 
           # Copy package files
           COPY pyproject.toml README.md ./
           COPY src/ ./src/
 
-          # Build wheel
-          RUN pip install --no-cache-dir build && \
+          # Build wheel (upgrade pip to fix CVEs)
+          RUN pip install --upgrade pip build && \
               python -m build --wheel
 
           # =============================================================================
           # Final image
           # =============================================================================
-          FROM python:3.12-slim
+          FROM python:3.14-slim
 
           ARG VERSION=dev
 
-          # Install the built wheel
+          # Upgrade ALL system packages to patch CVEs (ncurses, glibc, util-linux, xz, zlib, tar, systemd, sqlite)
+          # Remove perl to eliminate Archive::Tar, IO::Compress CVEs
+          RUN apt-get update && \
+              apt-get upgrade -y && \
+              apt-get install -y --no-install-recommends \
+              ca-certificates \
+              && apt-get remove -y --purge perl \
+              && apt-get autoremove -y --purge \
+              && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+          # Install the built wheel (upgrade pip to fix CVEs)
           COPY --from=builder /build/dist/*.whl /tmp/
-          RUN pip install --no-cache-dir /tmp/*.whl && \
+          RUN pip install --upgrade pip && \
+              pip install --no-cache-dir /tmp/*.whl && \
               rm /tmp/*.whl
 
           # Labels

CHANGELOG.md

@@ -107,6 +107,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - **gRPC Header Case Sensitivity**: Fixed gRPC exporter to use lowercase header keys (gRPC metadata specification requires lowercase keys)
+- **Security - Credentials Exposure**: Removed partial API key secret leak in `Credentials.__str__()` — now masks secret completely with `***` instead of exposing first 8 characters
+- **Security - Plaintext Secret Header**: Removed `X-TelemetryFlow-Key-Secret` from `auth_headers()` — API key secret is now only transmitted via the `Authorization` header
+- **Security - Endpoint SSRF Validation**: Added regex-based `host:port` validation in `TelemetryConfig._validate()` to prevent Server-Side Request Forgery via malformed endpoints
+- **Security - Insecure TLS Warning**: Added `logging.warning()` when `with_insecure(True)` is called to alert developers that TLS is disabled
+- **Security - Hardcoded Secrets**: Removed all hardcoded default passwords from `docker-compose.yml` — PostgreSQL, ClickHouse, JWT, and session secrets now require explicit configuration via `${VAR:?msg}` pattern
+- **Security - CORS Wildcard**: Changed default `CORS_ORIGIN` from `*` to `http://localhost:8080` in `docker-compose.yml` and `.env.example`
+- **Security - Weak Defaults**: Removed weak default secrets (`change-me-in-production`, `telemetryflow123`) from `.env.example` — all secret fields now empty by default
+- **Security - Insecure Default**: Changed `TELEMETRYFLOW_INSECURE` default from `true` to `false` in `.env.example` with security warning
+- **Security - Docker Root User**: Added non-root `telemetryflow` user (UID 10001) to `Dockerfile.dev` with `USER` directive
+- **Security - Docker CVE Hardening**: Updated `Dockerfile`, `Dockerfile.dev`, and `docker.yml` workflow to patch Trivy-detected CVEs:
+  - `apt-get upgrade -y` to patch ncurses, glibc, util-linux, xz, zlib, tar, systemd, sqlite vulnerabilities
+  - Removed `perl` package to eliminate Archive::Tar, IO::Compress, IO::Uncompress::Unzip CVEs
+  - Upgraded `pip` to latest version to fix arbitrary code execution, path traversal, and improper archive handling
+- **Version Alignment (CVS)**: Fixed `version.py` from stale `1.1.1` to `1.2.0` matching `pyproject.toml` and `CHANGELOG.md`
+- **Version Alignment (CVS)**: Updated `Dockerfile` `ARG VERSION` and OCI labels from `1.1.1` to `1.2.0`
+- **Version Alignment (CVS)**: Updated `Dockerfile` build comments from `1.1.1` to `1.2.0`
 
 ### SDK Configuration Structure
 

Dockerfile

@@ -27,7 +27,7 @@
 FROM python:3.14-slim AS builder
 
 # Build arguments
-ARG VERSION=1.1.1
+ARG VERSION=1.2.0
 ARG GIT_COMMIT=unknown
 ARG GIT_BRANCH=unknown
 ARG BUILD_TIME=unknown
@@ -38,8 +38,10 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
     PIP_NO_CACHE_DIR=1 \
     PIP_DISABLE_PIP_VERSION_CHECK=1
 
-# Install build dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Install build dependencies and upgrade all system packages to fix CVEs
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
     git \
     && rm -rf /var/lib/apt/lists/*
 
@@ -68,14 +70,14 @@ FROM python:3.14-slim
 # =============================================================================
 LABEL org.opencontainers.image.title="TelemetryFlow Python SDK" \
       org.opencontainers.image.description="Python SDK and code generators for TelemetryFlow integration - Community Enterprise Observability Platform (CEOP)" \
-      org.opencontainers.image.version="1.1.1" \
+      org.opencontainers.image.version="1.2.0" \
       org.opencontainers.image.vendor="TelemetryFlow" \
       org.opencontainers.image.authors="Telemetri Data Indonesia <support@devopscorner.id>" \
       org.opencontainers.image.url="https://telemetryflow.id" \
       org.opencontainers.image.documentation="https://docs.telemetryflow.id" \
       org.opencontainers.image.source="https://github.com/telemetryflow/telemetryflow-python-sdk" \
       org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.base.name="python:3.12-slim" \
+      org.opencontainers.image.base.name="python:3.14-slim" \
       # TelemetryFlow specific labels
       io.telemetryflow.product="TelemetryFlow Python SDK" \
       io.telemetryflow.component="telemetryflow-python-sdk" \
@@ -91,11 +93,25 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
     TELEMETRYFLOW_ENDPOINT=api.telemetryflow.id:4317 \
     TELEMETRYFLOW_ENVIRONMENT=production
 
-# Install runtime dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Install runtime dependencies and upgrade ALL system packages to patch CVEs:
+# - ncurses: buffer overflow (#80,#85,#93,#94)
+# - glibc: heap overflow, DNS crash, TSIG OOB write (#67-#74)
+# - util-linux: TOCTOU mount, hostname canonicalization (#75-#82,#87-#92)
+# - xz: buffer overflow in index decoding (#77)
+# - zlib: DoS via infinite loop in CRC32 (#106)
+# - tar: hidden file injection (#103)
+# - systemd: unintended terminal output (#84,#86)
+# - sqlite: info disclosure via crafted ZIP (#83)
+# - perl: heap overflow, Archive::Tar, IO::Compress (#95-#102)
+# - pip: arbitrary code execution, path traversal (#107-#109)
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
-    && rm -rf /var/lib/apt/lists/*
+    && apt-get remove -y --purge perl \
+    && apt-get autoremove -y --purge \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Create non-root user and group
 RUN groupadd -g 10001 telemetryflow && \
@@ -108,8 +124,9 @@ RUN mkdir -p /workspace && chown -R telemetryflow:telemetryflow /workspace
 COPY --from=builder /wheels /wheels
 COPY --from=builder /build/dist/*.whl /wheels/
 
-# Install the SDK and dependencies
-RUN pip install --no-cache-dir /wheels/*.whl && \
+# Install the SDK and dependencies (upgrade pip to fix CVEs #107-#109)
+RUN pip install --upgrade pip && \
+    pip install --no-cache-dir /wheels/*.whl && \
     rm -rf /wheels
 
 # Verify installation
@@ -134,29 +151,29 @@ CMD ["--help"]
 # =============================================================================
 # Build with:
 #   docker build \
-#     --build-arg VERSION=1.1.1 \
+#     --build-arg VERSION=1.2.0 \
 #     --build-arg GIT_COMMIT=$(git rev-parse --short HEAD) \
 #     --build-arg GIT_BRANCH=$(git rev-parse --abbrev-ref HEAD) \
 #     --build-arg BUILD_TIME=$(date -u '+%Y-%m-%dT%H:%M:%SZ') \
-#     -t telemetryflow/telemetryflow-python-sdk:1.1.1 .
+#     -t telemetryflow/telemetryflow-python-sdk:1.2.0 .
 #
 # Run with:
 #   # SDK Generator (telemetryflow-gen) - Native Python integration
-#   docker run --rm -v $(pwd):/workspace telemetryflow/telemetryflow-python-sdk:1.1.1 \
+#   docker run --rm -v $(pwd):/workspace telemetryflow/telemetryflow-python-sdk:1.2.0 \
 #     init -p my-project --output /workspace
 #
 #   # RESTful API Generator (telemetryflow-restapi) - Flask + SQLAlchemy DDD project
 #   docker run --rm -v $(pwd):/workspace --entrypoint telemetryflow-restapi \
-#     telemetryflow/telemetryflow-python-sdk:1.1.1 \
+#     telemetryflow/telemetryflow-python-sdk:1.2.0 \
 #     new -n my-api --output /workspace
 #
 #   # Add entity to RESTful API project
 #   docker run --rm -v $(pwd)/my-api:/workspace --entrypoint telemetryflow-restapi \
-#     telemetryflow/telemetryflow-python-sdk:1.1.1 \
+#     telemetryflow/telemetryflow-python-sdk:1.2.0 \
 #     entity -n User -f 'name:string,email:string' --output /workspace
 #
 #   # Run Python example
 #   docker run --rm -v $(pwd):/workspace --entrypoint python \
-#     telemetryflow/telemetryflow-python-sdk:1.1.1 \
+#     telemetryflow/telemetryflow-python-sdk:1.2.0 \
 #     /workspace/example.py
 # =============================================================================

Dockerfile.dev

@@ -17,7 +17,7 @@ FROM python:3.14-slim
 # =============================================================================
 LABEL org.opencontainers.image.title="TelemetryFlow Python SDK - Development" \
       org.opencontainers.image.description="Development image for TelemetryFlow Python SDK" \
-      org.opencontainers.image.version="1.1.1-dev" \
+      org.opencontainers.image.version="1.2.0-dev" \
       org.opencontainers.image.vendor="TelemetryFlow" \
       org.opencontainers.image.authors="Telemetri Data Indonesia <support@devopscorner.id>" \
       org.opencontainers.image.licenses="Apache-2.0"
@@ -27,19 +27,26 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
     PIP_NO_CACHE_DIR=1 \
     PIP_DISABLE_PIP_VERSION_CHECK=1 \
-    # Development settings
     PYTHONFAULTHANDLER=1 \
     PYTHONHASHSEED=random
 
-# Install system dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Install system dependencies and upgrade ALL system packages to patch CVEs
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
     git \
     curl \
     wget \
     vim \
     ca-certificates \
     build-essential \
-    && rm -rf /var/lib/apt/lists/*
+    && apt-get remove -y --purge perl \
+    && apt-get autoremove -y --purge \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# Create non-root user
+RUN groupadd -g 10001 telemetryflow && \
+    useradd -u 10001 -g telemetryflow -d /home/telemetryflow -m telemetryflow
 
 # Set working directory
 WORKDIR /app
@@ -48,7 +55,7 @@ WORKDIR /app
 COPY pyproject.toml README.md LICENSE ./
 COPY src/ ./src/
 
-# Install the package with all development dependencies
+# Install the package with all development dependencies (upgrade pip to fix CVEs)
 RUN pip install --upgrade pip && \
     pip install -e ".[dev,http,grpc]"
 
@@ -60,7 +67,10 @@ RUN pip install \
     httpx
 
 # Create workspace directory
-RUN mkdir -p /workspace
+RUN mkdir -p /workspace && chown -R telemetryflow:telemetryflow /workspace /app
+
+# Switch to non-root user
+USER telemetryflow
 
 # Set default command
 CMD ["python", "-c", "from telemetryflow import TelemetryFlowBuilder; print('TelemetryFlow Python SDK - Development Environment Ready!')"]

docker-compose.yml

@@ -274,7 +274,7 @@ services:
     environment:
       - TZ=${TZ:-UTC}
       - POSTGRES_USER=${POSTGRES_USERNAME:-tfo_admin}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-telemetryflow123}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
       - POSTGRES_DB=${POSTGRES_DB:-telemetryflow_db}
       - PGDATA=/var/lib/postgresql/data/pgdata
     volumes:
@@ -305,7 +305,7 @@ services:
       - TZ=${TZ:-UTC}
       - CLICKHOUSE_DB=${CLICKHOUSE_DB:-telemetryflow_db}
       - CLICKHOUSE_USER=${CLICKHOUSE_USER:-tfo_admin}
-      - CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD:-telemetryflow123}
+      - CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD:?CLICKHOUSE_PASSWORD must be set}
     volumes:
       - ${DATA_CLICKHOUSE:-${VOLUMES_BASE_PATH:-/opt/data/docker/telemetryflow-sdk}/clickhouse}/data:/var/lib/clickhouse
       - ${DATA_CLICKHOUSE:-${VOLUMES_BASE_PATH:-/opt/data/docker/telemetryflow-sdk}/clickhouse}/logs:/var/log/clickhouse-server
@@ -396,14 +396,14 @@ services:
       - POSTGRES_PORT=5432
       - POSTGRES_DB=${POSTGRES_DB:-telemetryflow_db}
       - POSTGRES_USERNAME=${POSTGRES_USERNAME:-tfo_admin}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-telemetryflow123}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
 
       # ClickHouse
       - CLICKHOUSE_HOST=clickhouse
       - CLICKHOUSE_PORT=8123
       - CLICKHOUSE_DB=${CLICKHOUSE_DB:-telemetryflow_db}
       - CLICKHOUSE_USER=${CLICKHOUSE_USER:-tfo_admin}
-      - CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD:-telemetryflow123}
+      - CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD:?CLICKHOUSE_PASSWORD must be set}
 
       # Redis
       - REDIS_HOST=redis
@@ -421,12 +421,12 @@ services:
       - ENABLE_BULLMQ=${ENABLE_BULLMQ:-true}
 
       # JWT & Session
-      - JWT_SECRET=${JWT_SECRET:-dev-secret-change-me-in-production}
+      - JWT_SECRET=${JWT_SECRET:?JWT_SECRET must be set}
       - JWT_EXPIRES_IN=${JWT_EXPIRES_IN:-24h}
-      - SESSION_SECRET=${SESSION_SECRET:-dev-session-secret-change-me}
+      - SESSION_SECRET=${SESSION_SECRET:?SESSION_SECRET must be set}
 
       # CORS
-      - CORS_ORIGIN=${CORS_ORIGIN:-*}
+      - CORS_ORIGIN=${CORS_ORIGIN:-http://localhost:8080}
 
       # Logging
       - LOGGER_TYPE=${LOGGER_TYPE:-winston}

src/telemetryflow/builder.py

@@ -20,6 +20,7 @@
 from __future__ import annotations
 
 import contextlib
+import logging
 import os
 from datetime import timedelta
 from typing import TYPE_CHECKING
@@ -31,6 +32,8 @@
 if TYPE_CHECKING:
     pass
 
+logger = logging.getLogger(__name__)
+
 
 class BuilderError(Exception):
     """Exception raised for builder configuration errors."""
@@ -325,6 +328,12 @@ def with_insecure(self, insecure: bool = True) -> TelemetryFlowBuilder:
             Self for method chaining
         """
         self._insecure = insecure
+        if insecure:
+            logger.warning(
+                "TLS verification is DISABLED (insecure=true). "
+                "This should ONLY be used in development. "
+                "Never use this in production environments."
+            )
         return self
 
     # Signal Configuration