Skip to content

fix: remove unused http import and set stable secret key fallback #503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
asiyasafwana15-byte wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: remove unused http import and set stable secret key fallback #503

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

from http import HTTPStatus

from flask import Flask, render_template, request, redirect, url_for, session, jsonify, flash
import sqlite3
import os
Expand All @@ -18,7 +18,7 @@
pass

app = Flask(__name__)
app.secret_key = os.environ.get("SECRET_KEY", secrets.token_hex(16))
app.secret_key = os.environ.get("SECRET_KEY" ,"dev-secret-key-change-me")

@entelligence-ai-pr-reviews entelligence-ai-pr-reviews Bot May 28, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MAJOR SECURITY Hardcoded default secret key exposes session signing to anyone who reads the repo

Any deployment that omits the SECRET_KEY env var will use the publicly visible string "dev-secret-key-change-me", allowing an attacker to forge signed session cookies. The previous default secrets.token_hex(16) was randomly generated per process, which was safer.

Prompt to fix with AI

Copy this prompt into your AI coding assistant to fix this issue.

In app.py at line 21, the Flask secret key fallback was changed from `secrets.token_hex(16)` to the hardcoded string `"dev-secret-key-change-me"`. This is a security vulnerability: any deployment without the SECRET_KEY env var will use a publicly known key, enabling session cookie forgery. Revert the fallback to `secrets.token_hex(16)` (which requires the `secrets` module already imported) or raise a `RuntimeError` when SECRET_KEY is missing in production.

app.permanent_session_lifetime = timedelta(days=30)

# Session security configuration
Expand All @@ -38,7 +38,7 @@ def make_session_permanent():
DB_PATH = os.path.join(os.path.dirname(__file__), "ams.db")

# Define upload folder path for certificates
UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static", "uploads")
UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static" "uploads")

@entelligence-ai-pr-reviews entelligence-ai-pr-reviews Bot May 28, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL BUG Missing comma in os.path.join concatenates 'static' and 'uploads' into 'staticuploads'

Python's implicit string literal concatenation turns "static" "uploads" into a single argument "staticuploads", so UPLOAD_FOLDER resolves to <base>/staticuploads (a non-existent path) instead of <base>/static/uploads. File saves at line 473 and profile-directory creation at line 663 will write to the wrong location.

Suggested change
UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static" "uploads")
UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static", "uploads")
Prompt to fix with AI

Copy this prompt into your AI coding assistant to fix this issue.

In app.py at line 41, the call to os.path.join is missing a comma between "static" and "uploads". Python's implicit string concatenation silently merges them into "staticuploads", making UPLOAD_FOLDER point to a wrong path. Fix by changing the line to:

UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static", "uploads")

os.makedirs(UPLOAD_FOLDER, exist_ok=True)


Expand Down
Loading