From 62f8b28de86e53ff6dfbb5440b251ff24ef32cdd Mon Sep 17 00:00:00 2001 From: Ganesh Patil <7030871503ganeshpatil@gmail.com> Date: Sat, 14 Feb 2026 12:16:50 +0530 Subject: [PATCH 1/2] security: remove hardcoded Flask secret, disable debug mode, add SHA256 verification (Issue #272) --- Dockerfile.sh | 5 ++++- fri/server/main.py | 8 ++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/Dockerfile.sh b/Dockerfile.sh index 0e17693b..b8773daf 100644 --- a/Dockerfile.sh +++ b/Dockerfile.sh @@ -9,7 +9,10 @@ RUN mkdir /mcr-install \ WORKDIR /mcr-install -RUN wget https://ssd.mathworks.com/supportfiles/downloads/R2021a/Release/1/deployment_files/installer/complete/glnxa64/MATLAB_Runtime_R2021a_Update_1_glnxa64.zip +ENV MATLAB_RUNTIME_SHA256="b821022690804e498d2e5ad814dccb64aab17c5e4bc10a1e2a12498ef5364e0d" + +RUN wget https://ssd.mathworks.com/supportfiles/downloads/R2021a/Release/1/deployment_files/installer/complete/glnxa64/MATLAB_Runtime_R2021a_Update_1_glnxa64.zip \ + && echo "${MATLAB_RUNTIME_SHA256} MATLAB_Runtime_R2021a_Update_1_glnxa64.zip" | sha256sum -c - RUN unzip MATLAB_Runtime_R2021a_Update_1_glnxa64.zip \ && ./install -destinationFolder /opt/mcr -agreeToLicense yes -mode silent \ diff --git a/fri/server/main.py b/fri/server/main.py index f94bc663..6919e1ac 100644 --- a/fri/server/main.py +++ b/fri/server/main.py @@ -14,7 +14,9 @@ app = Flask(__name__) -app.secret_key = "secret key" +app.secret_key = os.environ.get("FLASK_SECRET_KEY") +if not app.secret_key: + raise RuntimeError("FLASK_SECRET_KEY environment variable not set") cors = CORS(app) app.config['CORS_HEADERS'] = 'Content-Type' @@ -407,4 +409,6 @@ def openJupyter(): if __name__ == "__main__": - app.run(host="0.0.0.0", port=5000) + # In production, use: + # gunicorn -w 4 -b 0.0.0.0:5000 main:app + app.run(host="0.0.0.0", port=5000, debug=False) From 37cbd17ec8d0411c406bbd967cc9a5c3f321437c Mon Sep 17 00:00:00 2001 From: Ganesh Patil <7030871503ganeshpatil@gmail.com> Date: Sat, 14 Feb 2026 12:28:56 +0530 Subject: [PATCH 2/2] security: address PR review - graceful dev fallback, fix gunicorn path, use ARG for SHA256 override --- Dockerfile.sh | 3 ++- fri/server/main.py | 14 ++++++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/Dockerfile.sh b/Dockerfile.sh index b8773daf..eec9f62b 100644 --- a/Dockerfile.sh +++ b/Dockerfile.sh @@ -9,7 +9,8 @@ RUN mkdir /mcr-install \ WORKDIR /mcr-install -ENV MATLAB_RUNTIME_SHA256="b821022690804e498d2e5ad814dccb64aab17c5e4bc10a1e2a12498ef5364e0d" +ARG MATLAB_RUNTIME_SHA256="b821022690804e498d2e5ad814dccb64aab17c5e4bc10a1e2a12498ef5364e0d" +ENV MATLAB_RUNTIME_SHA256=${MATLAB_RUNTIME_SHA256} RUN wget https://ssd.mathworks.com/supportfiles/downloads/R2021a/Release/1/deployment_files/installer/complete/glnxa64/MATLAB_Runtime_R2021a_Update_1_glnxa64.zip \ && echo "${MATLAB_RUNTIME_SHA256} MATLAB_Runtime_R2021a_Update_1_glnxa64.zip" | sha256sum -c - diff --git a/fri/server/main.py b/fri/server/main.py index 6919e1ac..a92f16df 100644 --- a/fri/server/main.py +++ b/fri/server/main.py @@ -14,9 +14,15 @@ app = Flask(__name__) -app.secret_key = os.environ.get("FLASK_SECRET_KEY") -if not app.secret_key: - raise RuntimeError("FLASK_SECRET_KEY environment variable not set") +secret_key = os.environ.get("FLASK_SECRET_KEY") +if not secret_key: + # In production, require an explicit FLASK_SECRET_KEY to be set. + # For local development and tests, fall back to a per-process random key + # so that importing this module does not fail hard. + if os.environ.get("FLASK_ENV") == "production": + raise RuntimeError("FLASK_SECRET_KEY environment variable not set in production") + secret_key = os.urandom(32) +app.secret_key = secret_key cors = CORS(app) app.config['CORS_HEADERS'] = 'Content-Type' @@ -410,5 +416,5 @@ def openJupyter(): if __name__ == "__main__": # In production, use: - # gunicorn -w 4 -b 0.0.0.0:5000 main:app + # gunicorn -w 4 -b 0.0.0.0:5000 fri.server.main:app app.run(host="0.0.0.0", port=5000, debug=False)