Skip to content

fix: replace hardcoded credentials with env var functions (CWE-798)#98

Open
saaa99999999 wants to merge 2 commits into
cloudwego:mainfrom
saaa99999999:fix/hardcoded-credentials
Open

fix: replace hardcoded credentials with env var functions (CWE-798)#98
saaa99999999 wants to merge 2 commits into
cloudwego:mainfrom
saaa99999999:fix/hardcoded-credentials

Conversation

@saaa99999999

@saaa99999999 saaa99999999 commented May 23, 2026

Copy link
Copy Markdown

The easy_note demo has two hardcoded credentials in its constants file: a JWT signing key and a MySQL DSN with username and password.

What was there

easy_note/pkg/consts/consts.go:21,28:

const (
    SecretKey       = "secret key"
    MySQLDefaultDSN = "gorm:gorm@tcp(localhost:3306)/gorm?charset=utf8&parseTime=True&loc=Local"
)

The JWT signing key "secret key" is used in cmd/api/mw/jwt.go:

Key: []byte(consts.SecretKey),

The DSN "gorm:gorm@tcp(...)" exposes the database username and password. Anyone reading the public repo can:

  1. Forge JWT tokens with "secret key" and authenticate as any user
  2. Connect to the MySQL database with gorm:gorm credentials

What changed

Replaced constants with functions that read from env vars, exiting cleanly if not set:

func SecretKey() string {
    key := os.Getenv("JWT_SECRET_KEY")
    if key == "" {
        fmt.Fprintf(os.Stderr, "fatal: JWT_SECRET_KEY is not set. Generate one with: openssl rand -base64 32
")
        os.Exit(1)
    }
    return key
}

func MySQLDSN() string {
    dsn := os.Getenv("DB_DSN")
    if dsn == "" {
        fmt.Fprintf(os.Stderr, "fatal: DB_DSN is not set
")
        os.Exit(1)
    }
    return dsn
}

Call site updated from consts.SecretKey to consts.SecretKey().


CWE-798

@CLAassistant

CLAassistant commented May 23, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Replace hardcoded JWT secret key ("secret key") and MySQL DSN in
easy_note/pkg/consts with functions reading from environment variables
(JWT_SECRET_KEY and DB_DSN), panicking on empty values.

CWE-798: Use of Hard-coded Credentials

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@saaa99999999 saaa99999999 force-pushed the fix/hardcoded-credentials branch from 00df799 to f2bc8ab Compare May 23, 2026 07:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants