From 73ac3645ea052577ff5c3658dcce7e7f61778bf8 Mon Sep 17 00:00:00 2001 From: Sebastion Date: Sat, 28 Mar 2026 00:57:30 +0000 Subject: [PATCH] fix: remove hardcoded MongoDB credentials from docker-compose.yaml Replace hardcoded MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD with Docker Compose variable substitution that reads from the shell environment / .env file. MONGO_INITDB_ROOT_PASSWORD now uses the ${VAR:?error} syntax so `docker compose up` will fail fast with a clear message when the password has not been set, preventing accidental deployment with well-known credentials. env.template is updated to remove the shipped default password ("memsys123") and instead prompt the user to set a strong value. CWE-798 --- docker-compose.yaml | 8 +++++--- env.template | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 29407030..baacf19f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -7,8 +7,11 @@ services: container_name: memsys-mongodb restart: unless-stopped environment: - MONGO_INITDB_ROOT_USERNAME: admin - MONGO_INITDB_ROOT_PASSWORD: memsys123 + # Credentials are read from shell environment / .env file. + # Copy env.template to .env and set MONGODB_USERNAME and MONGODB_PASSWORD + # before running `docker compose up`. + MONGO_INITDB_ROOT_USERNAME: ${MONGODB_USERNAME:-admin} + MONGO_INITDB_ROOT_PASSWORD: ${MONGODB_PASSWORD:?MONGODB_PASSWORD must be set in .env – see env.template} MONGO_INITDB_DATABASE: memsys ports: - "27017:27017" @@ -160,4 +163,3 @@ volumes: networks: memsys-network: driver: bridge - diff --git a/env.template b/env.template index 72ca8855..1262259d 100755 --- a/env.template +++ b/env.template @@ -129,7 +129,7 @@ REDIS_SSL=false MONGODB_HOST=localhost MONGODB_PORT=27017 MONGODB_USERNAME=admin -MONGODB_PASSWORD=memsys123 +MONGODB_PASSWORD= # REQUIRED: set a strong password before running docker compose MONGODB_DATABASE=memsys MONGODB_URI_PARAMS=socketTimeoutMS=15000&authSource=admin