diff --git a/.gitignore b/.gitignore index 532c7fb..e00e44f 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,5 @@ __pycache__/ .devcontainer/ src/.pdm-python -src/htmlcov \ No newline at end of file +src/htmlcov +src/.env diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index aec8f6e..1029ba4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,6 +14,9 @@ build job: - export PATH=/root/.local/bin:$PATH - pdm install + # Set environment variables for the tests + - export FLASK_SECRET_KEY=$FLASK_SECRET_KEY + # launch tests - export PYTHONPATH=. - export FLASK_APP=app diff --git a/docs/questions-part1.md b/docs/questions-part1.md index 066e77f..8a7c2db 100644 --- a/docs/questions-part1.md +++ b/docs/questions-part1.md @@ -6,3 +6,8 @@ - **Q1.2**: The secret key for flask is hard coded. Is this good practice? What are the dangers? How could this be fixed? - **Q1.3**: Give a short description of *Linter*. Integrate a basic linter like [Flake8](https://flake8.pycqa.org/en/latest/) or [Ruff](https://github.com/astral-sh/ruff) in the existing CI/CD pipeline - **Q1.4 (optional)**: The run of the current CI/CD pipeline takes some time. Especially the time to setup the docker with the update and installation of all the dependencies is quite time consuming compared to the real testing time. Do you see any alternatives to speed up this process? Describe and try to implement it in your pipeline. + +# Answers - Part 1 +## Q1.2 +- It's a very bad practice. The secret key will be exposed in the codebase and can be easily accessed by anyone who has access to the codebase. This can lead to security vulnerabilities and compromise the integrity of the application. +- To fix this, you can use environment variables to store the secret key. diff --git a/src/.env.template b/src/.env.template new file mode 100644 index 0000000..0fccadf --- /dev/null +++ b/src/.env.template @@ -0,0 +1 @@ +FLASK_SECRET_KEY= diff --git a/src/app.py b/src/app.py index 2f04ffc..782c882 100644 --- a/src/app.py +++ b/src/app.py @@ -18,6 +18,10 @@ from flask import request, Flask, url_for, render_template, redirect import operators import json +from dotenv import load_dotenv +import os + + __author__ = 'Michael Mäder' @@ -36,7 +40,7 @@ A little web application that offers API calls for arithmetic operations # creation of the Flask application app = Flask(__name__) -app.config['SECRET_KEY'] = 'the-best-secret-ever' # super secure key against CSRF attacks +app.config['SECRET_KEY'] = os.environ.get('FLASK_SECRET_KEY') # super secure key against CSRF attacks # global variable containing the name of the login user global_data = {'username': 'no_user'} diff --git a/src/pdm.lock b/src/pdm.lock index ff8ab12..dbc92a9 100644 --- a/src/pdm.lock +++ b/src/pdm.lock @@ -5,7 +5,7 @@ groups = ["default"] strategy = ["inherit_metadata"] lock_version = "4.5.0" -content_hash = "sha256:5a2be8939d6734b2295f420aee17c34be5958903eb13eba88b45213f3c4c0333" +content_hash = "sha256:e36fdc748f0c9135da773b2fbab7f45cc5c43e27fad6d39d2de23857da4c1a91" [[metadata.targets]] requires_python = ">3.11" @@ -177,6 +177,18 @@ files = [ {file = "coverage-7.6.12.tar.gz", hash = "sha256:48cfc4641d95d34766ad41d9573cc0f22a48aa88d22657a1fe01dca0dbae4de2"}, ] +[[package]] +name = "dotenv" +version = "0.9.9" +summary = "Deprecated package" +groups = ["default"] +dependencies = [ + "python-dotenv", +] +files = [ + {file = "dotenv-0.9.9-py2.py3-none-any.whl", hash = "sha256:29cf74a087b31dafdb5a446b6d7e11cbce8ed2741540e2339c69fbef92c94ce9"}, +] + [[package]] name = "flask" version = "3.1.0" @@ -364,6 +376,17 @@ files = [ {file = "pytest_cov-6.0.0-py3-none-any.whl", hash = "sha256:eee6f1b9e61008bd34975a4d5bab25801eb31898b032dd55addc93e96fcaaa35"}, ] +[[package]] +name = "python-dotenv" +version = "1.0.1" +requires_python = ">=3.8" +summary = "Read key-value pairs from a .env file and set them as environment variables" +groups = ["default"] +files = [ + {file = "python-dotenv-1.0.1.tar.gz", hash = "sha256:e324ee90a023d808f1959c46bcbc04446a10ced277783dc6ee09987c37ec10ca"}, + {file = "python_dotenv-1.0.1-py3-none-any.whl", hash = "sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a"}, +] + [[package]] name = "werkzeug" version = "3.1.3" diff --git a/src/pyproject.toml b/src/pyproject.toml index 4cff15a..2b82610 100644 --- a/src/pyproject.toml +++ b/src/pyproject.toml @@ -10,6 +10,7 @@ dependencies = [ "pytest-cov>=4.1.0", "Flask>=3.0.2", "flask-wtf>=1.2.1", + "dotenv>=0.9.9", ] requires-python = ">3.11" readme = "README.md"