blog/content/posts/commits/2026-01-29-commit-ee2d9c7.md

---
title: "Security: Remove hardcoded credentials and add input validation"
date: 2026-01-29T16:58:21+01:00
draft: false
tags: ["commit", "bojemoi", "samsonov", "orchestrator"]
categories: ["Git Activity"]
summary: "Commit ee2d9c7 par Betty — 6 fichier(s) modifié(s)"
author: "Betty"
---

## Commit `ee2d9c7`

| | |
|---|---|
| **Repository** | bojemoi |
| **Branch** | `main` |
| **Auteur** | Betty |
| **Hash** | `ee2d9c7ff59ea9dbde783630d20eeac2027c567b` |
| **Date** | 2026-01-29 |

### Description

BREAKING CHANGE: All secrets now require environment variables

- config.py: Remove hardcoded POSTGRES_PASSWORD, GITEA_TOKEN, XENSERVER_PASS
  - Add field validators to reject placeholder values
  - CORS_ORIGINS now configurable (defaults to specific domains, not "*")
- main.py: Fix CORS to use configured origins instead of wildcard
  - Replace bare except: handlers with proper exception logging
- schemas.py: Add input validation patterns
  - VM/container names: alphanumeric, hyphens, underscores only
  - Docker images: validate format (registry/image:tag)
  - Port mappings: validate format and range (1-65535)
  - Add max length constraints to prevent abuse
- plugin_zap.py, plugin_burp.py: Load API keys from environment
  - ZAP_API_KEY and BURP_API_KEY env vars required
- .env.example: Document all required environment variables

ACTION REQUIRED: Rotate exposed credentials in git history

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

### Fichiers modifiés

```
M	provisioning/orchestrator/.env.example
M	provisioning/orchestrator/app/config.py
M	provisioning/orchestrator/app/main.py
M	provisioning/orchestrator/app/models/schemas.py
M	samsonov/pentest_orchestrator/plugins/plugin_burp.py
M	samsonov/pentest_orchestrator/plugins/plugin_zap.py
```

### Statistiques

```
 6 files changed, 353 insertions(+), 144 deletions(-)
```