89de4d7476
## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
29 lines
861 B
Plaintext
29 lines
861 B
Plaintext
== How to fix it in SQLAlchemy
|
|
|
|
=== Code examples
|
|
|
|
The following code uses an empty password to connect to a Postgres database.
|
|
|
|
The vulnerability can be fixed by using a strong password retrieved from an environment variable `DB_PASSWORD`. This environment variable is set during deployment. It should be strong and different for each database.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=103,diff-type=noncompliant]
|
|
----
|
|
def configure_app(app):
|
|
app.config['SQLALCHEMY_DATABASE_URI'] = "postgresql://user:@domain.com" # Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=103,diff-type=compliant]
|
|
----
|
|
def configure_app(app):
|
|
db_password = os.getenv('DB_PASSWORD')
|
|
app.config['SQLALCHEMY_DATABASE_URI'] = f"postgresql://user:{db_password}@domain.com"
|
|
----
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/hard-coded.adoc[]
|