fix: fail closed on missing or placeholder environment secrets#90
Open
failsafesecurity wants to merge 1 commit into
Open
fix: fail closed on missing or placeholder environment secrets#90failsafesecurity wants to merge 1 commit into
failsafesecurity wants to merge 1 commit into
Conversation
Author
|
👋 Gentle ping — this PR has been open for ~17 days. The fix ensures production deployments fail closed on missing/placeholder secrets rather than silently running vulnerable. Happy to adjust scope or approach. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The production/staging bootstrap path is fail-open when the environment-specific file is missing.
scripts/set_env.shcurrently copies.env.exampleinto the requested env file and sources it automatically. The template contains development-oriented values, including:APP_ENV=developmentDEBUG=trueJWT_SECRET_KEY="your-jwt-secret-key"That means a first-time
productionorstaginglaunch can silently start in development mode with a publicly known JWT signing key.Security impact
If this happens on a network-reachable deployment, anyone who knows the placeholder JWT secret can forge HS256 user/session tokens and access authenticated endpoints. In practice that can allow impersonation, session enumeration, and chat history access/modification.
Fix
This patch makes the startup path fail closed:
.env.exampleJWT_SECRET_KEYvalues inscripts/set_env.shAPP_ENVmatches the requested environment during bootstrapapp/core/config.pyso directuvicornlaunches also reject placeholder/missing JWT secretsTest Plan
.env.production, then runsource scripts/set_env.sh production→ startup is blockedJWT_SECRET_KEY=your-jwt-secret-keyand launch → startup is blockedAPP_ENV=productionwith a real randomJWT_SECRET_KEY→ startup proceeds normallySecurity Note
Severity: High. Private vulnerability reporting appears disabled on this repository, so this patch is prepared as a direct PR for maintainer review.