🛡️ Sentinel: Fix hardcoded empty env vars for secrets

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-10-12 - [Hardcoded Empty String as Env Var Name]
+**Vulnerability:** `std::env::var("")` used to retrieve sensitive secrets.
+**Learning:** Empty strings as environment variable names always fail to retrieve values, potentially causing applications to fall back to insecure defaults or crash unpredictably. This pattern often indicates a placeholder that was missed during review.
+**Prevention:** Ensure all `std::env::var` calls use explicit, documented environment variable names (e.g., `KAFKA_SASL_PASSWORD`). Use linting tools that check for empty strings in such contexts.

thunder/kafka_utils.rs

@@ -24,11 +24,12 @@ pub async fn start_kafka(
     user: &str,
     tx: tokio::sync::mpsc::Sender<i64>,
 ) -> Result<()> {
-    let sasl_password = std::env::var("")
+    let sasl_password = std::env::var("KAFKA_SASL_PASSWORD")
         .ok()
-        .or(args.sasl_password.clone())?;
+        .or(args.sasl_password.clone())
+        .context("SASL password must be provided via env var KAFKA_SASL_PASSWORD or args")?;
 
-    let producer_sasl_password = std::env::var("")
+    let producer_sasl_password = std::env::var("KAFKA_PRODUCER_SASL_PASSWORD")
         .ok()
         .or(args.producer_sasl_password.clone());