Enforcing Secure Coding Practices: Avoid Hardcoded Credentials and Use Environment Variables in GoFr Contributions #2023
Description
- The Contradiction
In CONTRIBUTING.md the project clearly states:
“Sensitive data (username, password, keys) should not be pushed. Always use environment variables.”
However, many code examples and documentation files (like your Cassandra example) use hardcoded credentials, e.g.:
Username: "cassandra",
Password: "cassandra",
and in Docker commands:
-e MONGO_INITDB_ROOT_USERNAME=user -e MONGO_INITDB_ROOT_PASSWORD=password
-
Why This Is a Problem
Mixed Messaging: New contributors and users may be confused about what is acceptable. The docs say “don’t do this,” but the examples do it.
Bad Habits: Developers often copy-paste code from docs. If the example uses hardcoded secrets, they might do the same in production, leading to real security risks.
Potential for Accidental Leaks: If someone uses the same credentials in a real environment, they might accidentally commit real secrets. -
Security Impact
Propagation of Insecure Practices:
If insecure patterns are shown in official docs, they can spread to many projects, increasing the risk of breaches.
Reputation Risk:
Open source projects are often judged by their documentation. Contradictory or insecure docs can harm the project’s reputation. -
Suggestions
Update All Examples:
Replace hardcoded credentials with environment variable lookups, e.g.:
Username: os.Getenv("CASSANDRA_USERNAME"),
Password: os.Getenv("CASSANDRA_PASSWORD"),
Add Security Warnings:
Clearly state in every example that credentials are for demonstration only and must not be used in production.
Align Docs and Policy:
Ensure all documentation matches the security advice in CONTRIBUTING.md -
Summary:
This issue is about consistency and leadership in security practices. By fixing it, you help all users of the project avoid common security mistakes and make the project more professional and trustworthy.