From f691c28124097b2a72dc13b25a383a23f477e279 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 20 Jan 2026 07:37:25 +0000 Subject: [PATCH] Sentinel: Fix hardcoded empty env vars for secrets Replaced `std::env::var("")` placeholders with explicit environment variable names (`KAFKA_SASL_PASSWORD` and `KAFKA_PRODUCER_SASL_PASSWORD`) in `thunder/kafka_utils.rs`. This ensures secrets can be securely provided via the environment instead of relying solely on command-line arguments. Also added `.jules/sentinel.md` to document the finding as per Sentinel protocol. --- .jules/sentinel.md | 4 ++++ thunder/kafka_utils.rs | 7 ++++--- 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..9b4f332 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-10-12 - [Hardcoded Empty String as Env Var Name] +**Vulnerability:** `std::env::var("")` used to retrieve sensitive secrets. +**Learning:** Empty strings as environment variable names always fail to retrieve values, potentially causing applications to fall back to insecure defaults or crash unpredictably. This pattern often indicates a placeholder that was missed during review. +**Prevention:** Ensure all `std::env::var` calls use explicit, documented environment variable names (e.g., `KAFKA_SASL_PASSWORD`). Use linting tools that check for empty strings in such contexts. diff --git a/thunder/kafka_utils.rs b/thunder/kafka_utils.rs index 050ce7f..e8d2d9d 100644 --- a/thunder/kafka_utils.rs +++ b/thunder/kafka_utils.rs @@ -24,11 +24,12 @@ pub async fn start_kafka( user: &str, tx: tokio::sync::mpsc::Sender, ) -> Result<()> { - let sasl_password = std::env::var("") + let sasl_password = std::env::var("KAFKA_SASL_PASSWORD") .ok() - .or(args.sasl_password.clone())?; + .or(args.sasl_password.clone()) + .context("SASL password must be provided via env var KAFKA_SASL_PASSWORD or args")?; - let producer_sasl_password = std::env::var("") + let producer_sasl_password = std::env::var("KAFKA_PRODUCER_SASL_PASSWORD") .ok() .or(args.producer_sasl_password.clone());