auto-claude: 2.1 - Replace hardcoded password in database.py with safe fallback

- Replaced hardcoded password 'NordaBiz2025Secure' with placeholder 'CHANGE_ME' - Added comprehensive warning comment about CWE-798 (Use of Hard-coded Credentials) - Production credentials must now be set via DATABASE_URL environment variable
2026-01-10 12:47:23 +01:00 · 2026-01-10 12:47:23 +01:00 · 6e9f1a4e4d
commit 6e9f1a4e4d
parent fa4fb92390
1 changed files with 4 additions and 1 deletions
--- a/database.py
+++ b/database.py
@ -32,9 +32,12 @@ from sqlalchemy.orm import sessionmaker, relationship
 from flask_login import UserMixin

 # Database configuration
+# WARNING: The fallback DATABASE_URL uses a placeholder password.
+# Production credentials MUST be set via the DATABASE_URL environment variable.
+# NEVER commit real credentials to version control (CWE-798).
 DATABASE_URL = os.getenv(
    'DATABASE_URL',
-    'postgresql://nordabiz_app:NordaBiz2025Secure@localhost:5432/nordabiz'
+    'postgresql://nordabiz_app:CHANGE_ME@localhost:5432/nordabiz'
 )

 # Determine if we're using SQLite