Skip to content

fix: fail closed on missing or placeholder environment secrets#90

Open
failsafesecurity wants to merge 1 commit into
wassim249:masterfrom
failsafesecurity:fix/f001-placeholder-prod-secrets
Open

fix: fail closed on missing or placeholder environment secrets#90
failsafesecurity wants to merge 1 commit into
wassim249:masterfrom
failsafesecurity:fix/f001-placeholder-prod-secrets

Conversation

@failsafesecurity

Copy link
Copy Markdown

Problem

The production/staging bootstrap path is fail-open when the environment-specific file is missing.

scripts/set_env.sh currently copies .env.example into the requested env file and sources it automatically. The template contains development-oriented values, including:

  • APP_ENV=development
  • DEBUG=true
  • JWT_SECRET_KEY="your-jwt-secret-key"

That means a first-time production or staging launch can silently start in development mode with a publicly known JWT signing key.

Security impact

If this happens on a network-reachable deployment, anyone who knows the placeholder JWT secret can forge HS256 user/session tokens and access authenticated endpoints. In practice that can allow impersonation, session enumeration, and chat history access/modification.

Fix

This patch makes the startup path fail closed:

  • refuse to auto-create missing non-development env files from .env.example
  • reject empty or placeholder JWT_SECRET_KEY values in scripts/set_env.sh
  • ensure APP_ENV matches the requested environment during bootstrap
  • add a runtime guard in app/core/config.py so direct uvicorn launches also reject placeholder/missing JWT secrets

Test Plan

  • Remove .env.production, then run source scripts/set_env.sh production → startup is blocked
  • Set JWT_SECRET_KEY=your-jwt-secret-key and launch → startup is blocked
  • Set APP_ENV=production with a real random JWT_SECRET_KEY → startup proceeds normally
  • Development setups with a real JWT secret continue to work as before

Security Note

Severity: High. Private vulnerability reporting appears disabled on this repository, so this patch is prepared as a direct PR for maintainer review.

@failsafesecurity

Copy link
Copy Markdown
Author

👋 Gentle ping — this PR has been open for ~17 days. The fix ensures production deployments fail closed on missing/placeholder secrets rather than silently running vulnerable. Happy to adjust scope or approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant