trevor/finance_bot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
finance_bot/SECURITY_AUDIT.md
Andrey K. Choi b79adf1c69 init commit
2025-12-10 22:09:31 +09:00

7.1 KiB
Raw Permalink Blame History

🔒 SECURITY AUDIT - Finance Bot

Date: 10 декабря 2025
Status: ⚠️ CRITICAL ISSUES FOUND AND FIXED

📋 FINDINGS

🔴 CRITICAL ISSUES FOUND:

1. Real Credentials in .env

  • Location: /home/data/finance_bot/.env
  • Issue: Contains real Telegram bot token and database credentials
  • Risk: If file is committed to Git or leaked, bot/DB are compromised
  • Fix: Replaced with placeholder values + created .env.example

2. Hardcoded Database Passwords in docker-compose.yml

  • Location: Lines 48, 62, 76 in docker-compose.yml
  • Values: finance_pass hardcoded 3 times
  • Risk: Password exposed in version control
  • Services Affected:
    • migrations service: DATABASE_URL=postgresql+psycopg2://finance_user:finance_pass@postgres:5432/finance_db
    • bot service: DATABASE_URL=postgresql+psycopg2://finance_user:finance_pass@postgres:5432/finance_db
    • web service: DATABASE_URL=postgresql+psycopg2://finance_user:finance_pass@postgres:5432/finance_db
  • Fix: Replaced with ${DB_PASSWORD} from environment variable

3. Hardcoded PostgreSQL Credentials in docker-compose.yml

  • Location: Lines 6-8
  • Values:
    • POSTGRES_USER: finance_user (acceptable - username)
    • POSTGRES_PASSWORD: finance_pass (CRITICAL - hardcoded)
    • POSTGRES_DB: finance_db (acceptable - database name)
  • Fix: Replaced password with ${DB_PASSWORD} variable

4. Missing .env.example File

  • Issue: New developers don't know what environment variables to set
  • Risk: Developers might hardcode credentials while setting up
  • Fix: Created .env.example with all required variables + comments

FIXES APPLIED

1. Updated .env (Safe Version)

# EXAMPLE - REPLACE WITH ACTUAL VALUES
BOT_TOKEN=your_telegram_bot_token_here
BOT_ADMIN_ID=123456789
DATABASE_URL=postgresql+psycopg2://finance_user:your_password@localhost:5432/finance_db
DATABASE_ECHO=false
REDIS_URL=redis://localhost:6379/0
DB_PASSWORD=your_database_password_here
DB_USER=finance_user
DB_NAME=finance_db
APP_DEBUG=false
APP_ENV=production
LOG_LEVEL=INFO
TZ=Europe/Moscow
API_HOST=0.0.0.0
API_PORT=8000

2. Created .env.example

  • Template file with all required variables
  • Placeholder values (NO REAL CREDENTIALS)
  • Detailed comments explaining each variable
  • Instructions for developers

3. Updated docker-compose.yml

Changed from hardcoded values to environment variables:

Before (UNSAFE):

POSTGRES_PASSWORD: finance_pass
DATABASE_URL: postgresql+psycopg2://finance_user:finance_pass@postgres:5432/finance_db

After (SAFE):

POSTGRES_PASSWORD: ${DB_PASSWORD}
DATABASE_URL: postgresql+psycopg2://${DB_USER}:${DB_PASSWORD}@postgres:5432/${DB_NAME}

4. Code Review Results

Python Files - SAFE

  • app/main.py - Uses settings.bot_token
  • app/core/config.py - Reads from .env via pydantic-settings
  • app/db/database.py - Uses settings.database_url
  • All other Python files - NO hardcoded credentials found

Migration Files - SAFE

  • migrations/versions/001_initial.py - Schema only, NO credentials
  • migrations/env.py - Reads from settings

Docker Files - NOW SAFE (FIXED)

  • Dockerfile - NO credentials
  • docker-compose.yml - NOW uses environment variables

Scripts - SAFE

  • QUICKSTART.sh - NO hardcoded credentials
  • All other scripts - NO credentials

🔐 SECURITY BEST PRACTICES IMPLEMENTED

1. Environment Variable Management

# All sensitive data from .env
BOT_TOKEN=${BOT_TOKEN}
DATABASE_URL=${DATABASE_URL}
REDIS_URL=${REDIS_URL}

2. Docker Compose Integration

# Variables from .env file
environment:
  DB_PASSWORD: ${DB_PASSWORD}
  BOT_TOKEN: ${BOT_TOKEN}

3. Pydantic-Settings Usage

# Automatically reads from .env
class Settings(BaseSettings):
    bot_token: str  # From BOT_TOKEN env var
    database_url: str  # From DATABASE_URL env var

4. .env in .gitignore

.env           # Never commit real credentials
.env.local
.env.*.local

5. Development Workflow

# For new developers:
1. cp .env.example .env
2. Edit .env with your credentials
3. docker-compose up -d

📋 CHECKLIST - WHAT WAS VERIFIED

  • No real bot tokens in code
  • No hardcoded database passwords in code
  • No API keys in Python files
  • No credentials in Docker files (now using env vars)
  • No secrets in migration scripts
  • .env not in version control (in .gitignore)
  • .env.example created with safe values
  • pydantic-settings properly configured
  • Docker Compose uses environment variables
  • All configuration externalized

🚀 DEPLOYMENT INSTRUCTIONS

Development Environment

cp .env.example .env
# Edit .env with your local PostgreSQL/Redis/Bot credentials
docker-compose up -d

Production Environment

# Set environment variables via:
# 1. Docker secrets (Swarm mode)
# 2. Kubernetes secrets (K8s)
# 3. Cloud provider secrets (AWS Secrets Manager, etc.)
# 4. System environment variables

# Example with export:
export BOT_TOKEN="your_production_token"
export DB_PASSWORD="your_production_password"
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d

Environment Variables Required for Docker

BOT_TOKEN           # Telegram bot token
DB_PASSWORD         # PostgreSQL password
DATABASE_URL        # Full database URL (optional, auto-constructed)
DB_USER             # Database user (default: finance_user)
DB_NAME             # Database name (default: finance_db)
APP_ENV             # environment (development|production)
REDIS_URL           # Redis connection URL

📚 FILES MODIFIED

File Changes
.env Replaced real credentials with placeholders
.env.example Created new (safe template)
docker-compose.yml Updated 3 locations with ${ENV_VAR}
SECURITY_AUDIT.md This file

🔄 ONGOING SECURITY PRACTICES

For Developers

  1. Never commit .env file
  2. Use .env.example for reference
  3. Always use environment variables in code
  4. Review pydantic-settings configuration

For DevOps

  1. Rotate credentials regularly
  2. Use secret management (Vault, AWS Secrets Manager, K8s)
  3. Enable audit logging
  4. Monitor unauthorized access attempts

For Code Reviews

  1. Check for hardcoded strings that look like tokens/passwords
  2. Verify docker-compose.yml uses environment variables
  3. Ensure .env is never committed
  4. Review migration scripts for data/credentials

📞 ADDITIONAL RESOURCES

Status: ALL CRITICAL ISSUES RESOLVED

All credentials have been externalized to .env file. The application now follows security best practices for credential management.