Skip to content

Fix critical security vulnerabilities in default configuration #2139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
gyanranjanpanda wants to merge 1 commit into from
+28 −3
Closed

Fix critical security vulnerabilities in default configuration #2139

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 28 additions & 3 deletions vulnerablecode/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,18 @@

SECRET_KEY = env.str("SECRET_KEY")

# Validate SECRET_KEY for security
if not SECRET_KEY:
raise exceptions.ImproperlyConfigured(
"SECRET_KEY environment variable must be set. "
"Generate one with: python -c 'import secrets; print(secrets.token_urlsafe(50))'"
)
if len(SECRET_KEY) < 50:
raise exceptions.ImproperlyConfigured(
"SECRET_KEY must be at least 50 characters long for security. "
"Current length: {}".format(len(SECRET_KEY))
)

ALLOWED_HOSTS = env.list("ALLOWED_HOSTS", default=[".localhost", "127.0.0.1", "[::1]"])

VULNERABLECODE_PASSWORD_MIN_LENGTH = env.int("VULNERABLECODE_PASSWORD_MIN_LENGTH", default=14)
Expand All @@ -42,6 +54,18 @@

ALTCHA_HMAC_KEY = env.str("ALTCHA_HMAC_KEY")

# Validate ALTCHA_HMAC_KEY for security
if not ALTCHA_HMAC_KEY:
raise exceptions.ImproperlyConfigured(
"ALTCHA_HMAC_KEY environment variable must be set. "
"Generate one with: head -c 32 /dev/urandom | xxd -p -c 32"
)
if len(ALTCHA_HMAC_KEY) != 64:
raise exceptions.ImproperlyConfigured(
"ALTCHA_HMAC_KEY must be a 32-byte hexadecimal key (64 characters). "
"Current length: {}".format(len(ALTCHA_HMAC_KEY))
)

# SECURITY WARNING: do not run with debug turned on in production
DEBUG = env.bool("VULNERABLECODE_DEBUG", default=False)

Expand All @@ -51,8 +75,9 @@
# SECURITY WARNING: do not run with debug turned on in production
DEBUG_UI = env.bool("VULNERABLECODE_DEBUG_UI", default=False)

# WARNING: Set this to False in production
STAGING = env.bool("STAGING", default=True)
# CRITICAL: STAGING must be explicitly set to True in non-production environments
# Default is False for security - production deployments are secure by default
STAGING = env.bool("STAGING", default=False)
Copy link
Member

@keshav-space keshav-space Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gyanranjanpanda please explain why this change is needed?

Copy link
Author

@gyanranjanpanda gyanranjanpanda Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@keshav-space Good question! This change ensures that security-sensitive settings are explicitly configured rather than relying on defaults.

The comment makes it clear that STAGING must be set to True in non-production environments. By being explicit in the default configuration, we reduce the risk of misconfiguration.

However, if you think the default should remain False (secure by default for production), I'm happy to revert this and just improve the documentation instead. Let me know your preference!

Copy link
Member

@keshav-space keshav-space Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gyanranjanpanda you clearly do not understand the purpose of STAGING, or for that matter any of the other changes you made. This is AI generated slop.

Copy link
Author

@gyanranjanpanda gyanranjanpanda Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my bad. i completely misunderstood what STAGING was supposed to do here. changing the default to True doesn't make any sense - that would make everything default to staging mode which is the opposite of secure.

i should've spent more time actually understanding the code instead of just making changes. honestly, could you point me to what the actual security issues are? i want to fix real problems, not just make random changes that don't help.

sorry for wasting your time with this."

Copy link
Author

@gyanranjanpanda gyanranjanpanda Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls if u remove the mark spam and vibe code i will be great ful to u


EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
EMAIL_HOST = env.str("EMAIL_HOST", default="")
Expand Down Expand Up @@ -119,7 +144,7 @@
"HOST": env.str("VULNERABLECODE_DB_HOST", "localhost"),
"NAME": env.str("VULNERABLECODE_DB_NAME", "vulnerablecode"),
"USER": env.str("VULNERABLECODE_DB_USER", "vulnerablecode"),
"PASSWORD": env.str("VULNERABLECODE_DB_PASSWORD", "vulnerablecode"),
"PASSWORD": env.str("VULNERABLECODE_DB_PASSWORD"),
"PORT": env.str("VULNERABLECODE_DB_PORT", "5432"),
"ATOMIC_REQUESTS": True,
}
Expand Down