Skip to content

fix: Clear-text storage of sensitive information#937

Closed
edwinjosechittilappilly wants to merge 1 commit into
mainfrom
alert-autofix-15
Closed

fix: Clear-text storage of sensitive information#937
edwinjosechittilappilly wants to merge 1 commit into
mainfrom
alert-autofix-15

Conversation

@edwinjosechittilappilly

Copy link
Copy Markdown
Collaborator

Potential fix for https://github.com/langflow-ai/openrag/security/code-scanning/15

In general, to fix clear-text storage of sensitive information, do not persist the secret in plain text. Either: (a) avoid persisting it entirely and derive or fetch it securely at runtime, or (b) store only an opaque reference (token/ID) and keep the actual secret in a dedicated secret store. Encrypting before storage is another option, but storing the encryption key alongside the ciphertext on the same host often gives limited benefit.

For this specific code, the minimal, functional-preserving change is: stop writing OPENSEARCH_PASSWORD into the .env file, while still allowing the application to have a password when needed. The class already has generate_secure_password and setup_secure_defaults that populate self.config.opensearch_password if it is missing. We can adjust the logic so that:

  1. setup_secure_defaults does not auto-generate and persist a password when saving the .env file. Instead, it only respects an existing value from environment or .env.
  2. The actual code that needs OPENSEARCH_PASSWORD at runtime should either:
    • get it from an existing env var / .env (if set), or
    • generate a one-time ephemeral password (not persisted) if none is set.

However, we are constrained to editing only this file and the shown snippets. The concrete fix we can apply here is:

  • Stop writing OPENSEARCH_PASSWORD=... into the .env file in save_env_file.
  • Optionally annotate where OpenSearch password should be provided (e.g., via external env/secret) instead of being auto-persisted.

This removes the clear-text storage at the flagged sink while keeping the rest of the behavior (generation and in-memory usage) intact.

Concretely:

  • In save_env_file, remove the f.write line for OPENSEARCH_PASSWORD=....
  • Leave generate_secure_password and setup_secure_defaults unchanged (they only operate in memory), as the issue is specifically the disk write.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…ensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@edwinjosechittilappilly edwinjosechittilappilly changed the title Potential fix for code scanning alert no. 15: Clear-text storage of sensitive information fix: Clear-text storage of sensitive information Feb 10, 2026
@edwinjosechittilappilly edwinjosechittilappilly marked this pull request as ready for review February 10, 2026 08:56
Copilot AI review requested due to automatic review settings February 10, 2026 08:56
@edwinjosechittilappilly edwinjosechittilappilly linked an issue Feb 10, 2026 that may be closed by this pull request
2 tasks

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security finding by preventing the OpenSearch admin password (OPENSEARCH_PASSWORD) from being written to the generated .env file (clear-text secret on disk).

Changes:

  • Removed writing OPENSEARCH_PASSWORD=... to .env in EnvManager.save_env_file().
  • Added an inline comment explaining the intentional non-persistence.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

f.write(f"LANGFLOW_URL_INGEST_FLOW_ID={self._quote_env_value(self.config.langflow_url_ingest_flow_id)}\n")
f.write(f"NUDGES_FLOW_ID={self._quote_env_value(self.config.nudges_flow_id)}\n")
f.write(f"OPENSEARCH_PASSWORD={self._quote_env_value(self.config.opensearch_password)}\n")
# Intentionally do not persist OPENSEARCH_PASSWORD to avoid storing it in clear text on disk.

Copilot AI Feb 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing OPENSEARCH_PASSWORD from the generated .env file likely breaks runtime and docker-compose behavior: docker-compose.yml and src/config/settings.py expect OPENSEARCH_PASSWORD to be set via environment/.env (and settings.py can raise if it's missing). Also, save_env_file() still calls setup_secure_defaults(), which auto-generates self.config.opensearch_password, but that value is now neither persisted nor exported, so a fresh install will end up with no OPENSEARCH_PASSWORD for containers to start/authenticate. Consider changing the save path to (1) avoid generating opensearch_password during save (so you don’t silently drop it), and (2) require OPENSEARCH_PASSWORD to come from an external secret mechanism (or at least write a placeholder/comment + explicit user instruction) while keeping docker-compose and runtime able to obtain the password.

Suggested change
# Intentionally do not persist OPENSEARCH_PASSWORD to avoid storing it in clear text on disk.
# Persist OPENSEARCH_PASSWORD so docker-compose and runtime can authenticate.
# NOTE: This stores the password in clear text in .env; ensure appropriate file protections.
f.write(f"OPENSEARCH_PASSWORD={self._quote_env_value(self.config.opensearch_password)}\n")

Copilot uses AI. Check for mistakes.
@mpawlow

mpawlow commented Feb 23, 2026

Copy link
Copy Markdown
Collaborator

Superseded by #1004

@mpawlow mpawlow closed this Feb 23, 2026
@mpawlow mpawlow deleted the alert-autofix-15 branch February 23, 2026 16:09
@mpawlow mpawlow removed their request for review February 23, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Clear-text storage of sensitive information

3 participants