fix: replace hardcoded DB passwords and session secret with placeholders#2402
Open
saaa99999999 wants to merge 1 commit into
Open
fix: replace hardcoded DB passwords and session secret with placeholders#2402saaa99999999 wants to merge 1 commit into
saaa99999999 wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates default docker-compose and runtime validation to avoid shipping real/default secrets by switching to explicit placeholder values that must be changed before deployment.
Changes:
- Replaces default MySQL/DSN credentials and session secret in
docker-compose.ymlwithchange-meplaceholders. - Updates startup check in
common/init.goto warn whenSESSION_SECRETis still set to the placeholder value.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| docker-compose.yml | Replaces bundled default passwords/secrets with placeholders to reduce accidental insecure deployments. |
| common/init.go | Aligns the example-value warning check with the new SESSION_SECRET placeholder. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+15
to
+17
| - SQL_DSN=oneapi:change-me@tcp(db:3306)/one-api # 修改此行,或注释掉以使用 SQLite 作为数据库 | ||
| - REDIS_CONN_STRING=redis://redis | ||
| - SESSION_SECRET=random_string # 修改为随机字符串 | ||
| - SESSION_SECRET=change-me # 修改为随机字符串 |
Comment on lines
+46
to
+48
| MYSQL_ROOT_PASSWORD: 'change-me' # 设置 root 用户的密码 | ||
| MYSQL_USER: oneapi # 创建专用用户 | ||
| MYSQL_PASSWORD: '123456' # 设置专用用户密码 | ||
| MYSQL_PASSWORD: 'change-me' # 设置专用用户密码 |
Comment on lines
40
to
44
| if os.Getenv("SESSION_SECRET") != "" { | ||
| if os.Getenv("SESSION_SECRET") == "random_string" { | ||
| if os.Getenv("SESSION_SECRET") == "change-me" { | ||
| logger.SysError("SESSION_SECRET is set to an example value, please change it to a random string.") | ||
| } else { | ||
| config.SessionSecret = os.Getenv("SESSION_SECRET") |
Comment on lines
+41
to
42
| if os.Getenv("SESSION_SECRET") == "change-me" { | ||
| logger.SysError("SESSION_SECRET is set to an example value, please change it to a random string.") |
Author
CVE RequestThis PR fixes CWE-798 (Use of Hard-coded Credentials) vulnerabilities:
These hardcoded credentials are present in the repository's default Docker Compose configuration and affect all deployments that use the default config. Request: After merging this PR, please create a GitHub Security Advisory on the official repository to request a CVE ID through GitHub's CNA program. For reference:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
问题
docker-compose.yml中提交了 4 个硬编码凭据:其中
SESSION_SECRET=random_string的值正是common/init.go:41检测到会发出警告的示例值。DB 密码123456和OneAPI@justsong可直接用于连接数据库。修复
4 个硬编码值替换为
change-me占位符,同时更新common/init.go中的检测逻辑。