Skip to content

fix: replace hardcoded credentials in docker-compose and harden server/.gitignore (#1527)#1677

Open
carlosjarenom wants to merge 2 commits into
eigent-ai:mainfrom
carlosjarenom:fix/issue-1527-security-hardcoded-creds
Open

fix: replace hardcoded credentials in docker-compose and harden server/.gitignore (#1527)#1677
carlosjarenom wants to merge 2 commits into
eigent-ai:mainfrom
carlosjarenom:fix/issue-1527-security-hardcoded-creds

Conversation

@carlosjarenom

Copy link
Copy Markdown
Contributor

Summary

Fix remaining security issues from #1527 (part 2 was already addressed in a prior commit).

Changes

1. Replace hardcoded database passwords in compose files

  • server/docker-compose.yml: Replace all instances of 123456 with ${POSTGRES_PASSWORD:-123456}
    • POSTGRES_PASSWORD environment variable for the Postgres service
    • database_url references in api, celery_worker, and celery_beat services (both build args and runtime env)
  • server/docker-compose.dev.yml: Same replacement for the Postgres service

2. Harden server/.gitignore

  • Add .\env to prevent accidental credential commits from the server directory
  • Add alembic.ini which may contain database connection strings

3. Update server/.env.example

  • Add POSTGRES_PASSWORD=CHANGE_ME placeholder
  • Change secret_key=postgres to secret_key=CHANGE_ME

Backwards Compatibility

All substitutions use ${POSTGRES_PASSWORD:-123456} syntax, so existing deployments that don't set POSTGRES_PASSWORD will continue to work with the default value. New deployments can override by setting the variable in their .\env file.

Related

@Douglasymlai Douglasymlai added bug Something isn't working backend labels Jul 3, 2026
@Douglasymlai
Douglasymlai requested a review from 4pmtong July 3, 2026 13:41
@carlosjarenom
carlosjarenom force-pushed the fix/issue-1527-security-hardcoded-creds branch 2 times, most recently from 965709a to cbde07c Compare July 4, 2026 17:37
@carlosjarenom

Copy link
Copy Markdown
Contributor Author

Rebased on latest upstream/main and force-pushed.

Changes: Replaced hardcoded 123456 passwords in docker-compose.yml and docker-compose.dev.yml with ${POSTGRES_PASSWORD:***} env var syntax. Added .env and alembic.ini to server/.gitignore. Updated .env.example with POSTGRES_PASSWORD=*** and secret_key=CHANGE_ME.

@4pmtong

4pmtong commented Jul 18, 2026

Copy link
Copy Markdown
Collaborator

Hi @carlosjarenom Thanks for the security cleanup here. One small thing to double-check: database_url is now passed through build.args, and server/Dockerfile currently turns ARG database_url into ENV database_url=$database_url. If someone sets a real POSTGRES_PASSWORD, that credential may end up baked into the Docker image metadata after build.

Could we keep database_url runtime-only in compose and avoid passing the deployment password as a build arg? If the build still needs a value, a non-secret placeholder would be safer.

…#1480)

- Add ensure_gif_infinite_loop() and post_process_gifs_in_directory() in file_utils.py
- Hook into TerminalToolkit.shell_exec() after blocking commands
- Hook into chat_service.collect_previous_task_context() as safety net
- Re-saves GIFs with loop=0 (infinite) using PIL, preserving frame durations/disposal
- Removes invalid loop='infinite' attribute from MarkDown.tsx (was wrong approach per eigent-ai#1676 review)

Fixes eigent-ai#1480
…igent-ai#1677 review)

- build.args: use non-secret placeholder for database_url
- environment: keep runtime substitution with ${POSTGRES_PASSWORD:-123456}
- Both docker-compose.yml and docker-compose.dev.yml updated

Fixes credential leak risk in image metadata (per @4pmtong review).
@carlosjarenom
carlosjarenom force-pushed the fix/issue-1527-security-hardcoded-creds branch from 3b187c4 to 7d2aa72 Compare July 19, 2026 00:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend bug Something isn't working Review Required

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: hardcoded credentials in docker-compose and chat_share.py

3 participants