gmakstutis/cognee
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix security issue: Plaintext Storage of AWS Secrets in Environment File (CWE-256)

Browse source
This commit is contained in:
pensarapp[bot] 2025-05-22 07:56:45 +00:00 committed by GitHub
parent b1b4ae3d5f
commit 725b2ef26d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 20 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
cognee/fetch_secret.py
View file

@ -16,7 +16,7 @@ environment = os.getenv("AWS_ENV", "dev")
def fetch_secret(secret_name: str, region_name: str, env_file_path: str): def fetch_secret(secret_name: str, region_name: str, env_file_path: str):
"""Fetch the secret from AWS Secrets Manager and write it to the .env file.""" """Fetch the secret from AWS Secrets Manager and load it into environment variables (DO NOT write to disk)."""
print("Initializing session") print("Initializing session")
session = boto3.session.Session() session = boto3.session.Session()
print("Session initialized") print("Session initialized")
@ -32,18 +32,25 @@ def fetch_secret(secret_name: str, region_name: str, env_file_path: str):
if "SecretString" in response: if "SecretString" in response:
secret = response["SecretString"] secret = response["SecretString"]
else: else:
secret = response["SecretBinary"] print("Binary secrets are not supported and cannot be loaded as environment variables.")
return "Error: SecretBinary type is not supported."
with open(env_file_path, "w") as env_file: # Parse each line as KEY=VALUE, set in os.environ
env_file.write(secret) for line in secret.splitlines():
print("Secrets are added to the .env file.") line = line.strip()
if not line or line.startswith("#"):
continue
if "=" not in line:
continue
key, value = line.split("=", 1)
os.environ[key.strip()] = value.strip()
print("Secrets loaded into environment variables (not written to disk).")
if os.path.exists(env_file_path): # Since we are not writing the file, omit writing and loading from file.
print(f"The .env file is located at: {env_file_path}") # Just confirm via env.
load_dotenv() for k in os.environ:
print("The .env file is loaded.") if k in secret:
else: print(f"Set environment variable: {k}")
print(f"The .env file was not found at: {env_file_path}.")
ENV_FILE_PATH = os.path.abspath("../.env") ENV_FILE_PATH = os.path.abspath("../.env")
@ -51,10 +58,10 @@ ENV_FILE_PATH = os.path.abspath("../.env")
if os.path.exists(ENV_FILE_PATH): if os.path.exists(ENV_FILE_PATH):
# Load default environment variables (.env) # Load default environment variables (.env)
load_dotenv() load_dotenv()
print("Environment variables are already loaded.") print("Environment variables are already loaded from .env file.")
else: else:
fetch_secret( fetch_secret(
f"promethai-{environment}-backend-secretso-promethaijs-dotenv", f"promethai-{environment}-backend-secretso-promethaijs-dotenv",
"eu-west-1", "eu-west-1",
ENV_FILE_PATH, ENV_FILE_PATH,
) )