Skip to content

🛡️ Sentinel: [CRITICAL] Fix hardcoded password in test comment #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kingkillery wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

🛡️ Sentinel: [CRITICAL] Fix hardcoded password in test comment #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-04-10 - Hardcoded password in tests
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Use the correct incident date for auditability.

Line 1 says 2024-04-10, but this PR/security event is dated April 10, 2026. If this is the current incident entry, update the heading date to 2026-04-10 to keep the journal timeline accurate.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md at line 1, Update the incident heading in
.jules/sentinel.md: replace the heading "## 2024-04-10 - Hardcoded password in
tests" with the correct date "## 2026-04-10 - Hardcoded password in tests" so
the journal entry's timestamp matches the PR/security event; verify the heading
text (the line beginning with "## 2024-04-10") is the only occurrence you
change.

**Vulnerability:** A hardcoded password ("kanbanery") was found in a comment in `tests/inference_test.py`.
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Do not store the credential literal in the remediation log.

Line 2 still contains the password value ("kanbanery"), which keeps the sensitive secret in-repo. Replace with a redacted placeholder (e.g., "[REDACTED]") and avoid committing raw secret values anywhere, including security notes.

Suggested fix 
-**Vulnerability:** A hardcoded password ("kanbanery") was found in a comment in `tests/inference_test.py`.
+**Vulnerability:** A hardcoded password ("[REDACTED]") was found in a comment in `tests/inference_test.py`.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
**Vulnerability:** A hardcoded password ("kanbanery") was found in a comment in `tests/inference_test.py`.
**Vulnerability:** A hardcoded password ("[REDACTED]") was found in a comment in `tests/inference_test.py`.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md at line 2, Replace the hardcoded credential literal
"kanbanery" found in the remediation note with a redacted placeholder like
"[REDACTED]" in the sentinel entry, and remove any other occurrences of that raw
secret in the repo (e.g., the referenced tests/inference_test.py) by loading
test credentials from environment/config or a test fixture instead of committing
them; update the sentinel.md text to not include the secret and ensure the
commit omits any raw secret values.

**Learning:** Hardcoded credentials even in test comments or disabled code are security risks and violate security conventions.
**Prevention:** Never hardcode passwords in test files or comments. Use environment variables (e.g., TEST_PDF_PASSWORD) instead.
2 changes: 1 addition & 1 deletion tests/inference_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ def test_mutlinline(tmp_path):


def test_encrypted_failure(tmp_path):
# Reminder to future Joe: password for encrypted PDF is "kanbanery"
# Reminder to future Joe: password for encrypted PDF should be provided via environment variable, e.g., os.environ.get("TEST_PDF_PASSWORD")
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Comment at Line 47 is misleading relative to current behavior.

Line 47 says password should come from TEST_PDF_PASSWORD, but commonforms.prepare_form currently does not accept any password input and encrypted PDFs are expected to fail unconditionally. Please reword this to a future-facing note (e.g., “if/when password support is added”) to avoid incorrect implementation assumptions.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tests/inference_test.py` at line 47, Update the misleading inline comment:
change the note about providing a password via TEST_PDF_PASSWORD to a
future-facing remark that acknowledges current lack of password support in
commonforms.prepare_form (e.g., "if/when password support is added, password
could be passed via an env var"), and remove the concrete env var suggestion so
it doesn't imply prepare_form currently accepts passwords.

output_path = tmp_path / "output.pdf"

with pytest.raises(commonforms.exceptions.EncryptedPdfError):
Expand Down