Skip to content

Security: Fix hardcoded credentials and sensitive data exposure#170

Open
saaa99999999 wants to merge 1 commit into
LyricTian:mainfrom
saaa99999999:fix/hardcoded-credentials
Open

Security: Fix hardcoded credentials and sensitive data exposure#170
saaa99999999 wants to merge 1 commit into
LyricTian:mainfrom
saaa99999999:fix/hardcoded-credentials

Conversation

@saaa99999999

Copy link
Copy Markdown

Summary

This PR fixes multiple security issues related to hardcoded credentials and sensitive data exposure.

1. Hardcoded JWT Signing Key (CWE-798)

  • pkg/jwtx/jwt.go:22 — Removed hardcoded default key CG24SDVP8OHPK395GB5G
  • internal/config/middleware.go:39 — Removed default signing key XnEsT0S@
  • configs/dev/middleware.toml:31 — Replaced hardcoded key with empty placeholder
  • internal/wirex/injector.go:91-92 — Added startup validation: application will fail to start if signing key is not configured

2. Default Admin Password (CWE-798)

  • internal/config/config.go:26 — Removed default password hash MD5(abc-123) with comment that revealed the actual password

3. JWT Token Leaked in Logs (CWE-532)

  • internal/mods/rbac/biz/login.biz.go:134 — Removed full JWT token from log output, preventing token theft from logs

4. Default Prometheus Credentials (CWE-1392)

  • internal/config/config.go:101-102 — Removed default admin/admin credentials

5. Dev Environment Hardcoded Passwords (CWE-798)

  • .devcontainer/.env:4-5 — Replaced hardcoded PostgreSQL password with placeholder

Test plan

  • Application fails to start with empty JWT signing key (validation works)
  • JWT authentication works correctly with a properly configured signing key
  • Token is no longer logged in plaintext
  • Config loads correctly with new defaults

Remove hardcoded JWT signing key defaults, default admin password,
database credentials, prometheus basic auth, and JWT token logging.

CWE-798: Hardcoded JWT keys and credentials in config defaults
CWE-532: JWT access token logged in plaintext
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant