You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| 3 | Medium | Default weak MariaDB credentials (`harvest`/`harvest`) |**Documented**— override for production |`README.md`,`chart/values.yaml:9-11`|
12
12
13
-
> All previously reported issues #2–9 from ISFSMS.md remain resolved; only the Secret template (#1 originally) has regressed.
13
+
> Previously reported hardening issues remain resolved. Current accepted/documented risks are trusted Helm values and development-only default credentials.
14
14
15
15
## Detailed findings
16
16
17
17
### 1. SQL injection via Helm template `mysql.table` value (High)
18
18
19
19
**Category:** V5 Validation — Injection (CWE-89)
20
20
**Trust boundary:** Helm values supplied at `helm install` / `--set` or via `values.yaml` (operator-controlled, potentially from CI or external configs).
21
-
**Sink:**`chart/harvest.sql` line 243, rendered through `tpl` in `chart/templates/configmap.yaml:10`.
21
+
**Sink:**`chart/harvest.sql`, rendered through `tpl` in `chart/templates/configmap.yaml`.
22
22
23
23
**Evidence:**
24
24
The SQL file contains:
@@ -48,37 +48,20 @@ The Helm template risk is accepted. Chart installers (`helm install`, `--set`) a
48
48
49
49
### 2. Missing Secret template for MariaDB credentials (High)
**Status:** Resolved. `chart/templates/secret.yaml` exists and renders the `mariadb-credentials` Secret used by the StatefulSet and CronJob.
52
53
53
-
**Evidence:**
54
-
The chart defines credential values in `chart/values.yaml` (`mariadb.rootPassword`, `mariadb.user`, `mariadb.password`), and both the StatefulSet (`chart/templates/statefulset.yaml` lines 39, 47, 52) and the CronJob (`chart/templates/cronjob.yaml` lines 44, 49) reference a Kubernetes Secret named `mariadb-credentials`. No Secret template exists in the chart (`chart/templates/secret.yaml` is absent from the repository contents).
55
-
56
-
**Impact:**
57
-
Any attempt to install the chart will result in pod errors (`CreateContainerConfigError`) because the required Secret is missing. The chart is unusable without manual intervention, defeating its purpose as a self-contained deployment.
58
-
59
-
**Preconditions:**
60
-
None — the chart fails to deploy immediately with default values (as shown in the README commands).
61
-
62
-
**Fix:**
63
-
Add a `chart/templates/secret.yaml` with content similar to:
In `chart/values.yaml`, the entries `mariadb.rootPassword`, `mariadb.user`, and `mariadb.password` are all set to the literal string `harvest`. The NetworkPolicy is disabled by default (`networkPolicy.enabled: false`), meaning the database is accessible from any pod in the cluster with these well-known credentials.
64
+
In `chart/values.yaml`, the bundled MariaDB defaults (`mariadb.rootPassword`, `mariadb.user`, and `mariadb.password`) are all set to the literal string `harvest`. When the bundled database is enabled, the NetworkPolicy is disabled by default (`networkPolicy.enabled: false`), meaning MariaDB is accessible from any pod in the cluster with these well-known credentials.
82
65
83
66
**Impact:**
84
67
If a deployment uses the defaults (e.g., an automated pipeline that neglects to override them), an attacker who gains a foothold in the cluster (any pod) can connect to MariaDB as `harvest`/`harvest` and exfiltrate or destroy the consultation data.
@@ -87,7 +70,6 @@ If a deployment uses the defaults (e.g., an automated pipeline that neglects to
87
70
The chart is installed with default values, a likely accidental scenario for users who skip reading the “override for production” note.
88
71
89
72
**Fix:**
90
-
- Enforce that credentials must be provided by using `required` in the Secret template:
91
-
`{{ required "mariadb.password is required" .Values.mariadb.password }}`
92
-
- Or generate strong random passwords at install time (e.g., with `randAlphaNum`) and store them in the Secret.
93
-
- At minimum, set the defaults to empty strings so the deployment fails clearly rather than running with weak credentials.
73
+
- For production, set `mariadb.enabled=false` and point `mysql.host` at an externally managed database.
74
+
- Always override `mariadb.user` and `mariadb.password` for production/external databases.
75
+
- A future hardening change could enforce non-empty credentials with `required` or generate strong random install-time passwords.
Copy file name to clipboardExpand all lines: README.md
+39-23Lines changed: 39 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,21 +1,27 @@
1
1
# DuckDB SQL Pipeline for Harvesting Consultations
2
2
3
3
A single SQL file pulls consultation data from WA government Citizen Space and
4
-
EngagementHQ APIs, normalises it, and mirrors it into MariaDB for downstream consumption.
4
+
EngagementHQ APIs, normalises it, and mirrors it into a MariaDB table for downstream consumption.
5
5
The runtime harvest path is DuckDB SQL only; Python is not required.
6
6
7
7
## Quick start
8
8
9
-
Set the standard [DuckDB MySQL environment variables](https://duckdb.org/docs/current/core_extensions/mysql#configuration) before running locally:
9
+
The recommended path is Helm, because `chart/harvest.sql` is templated with the
10
+
configured output table name.
11
+
12
+
For local DuckDB runs, set the standard [DuckDB MySQL environment variables](https://duckdb.org/docs/current/core_extensions/mysql#configuration), render the table name, then run the rendered SQL:
0 commit comments