From 0487c24a17b504c864ef0452bc59a0df39a54eed Mon Sep 17 00:00:00 2001 From: Ganesh Patil <7030871503ganeshpatil@gmail.com> Date: Thu, 19 Feb 2026 01:59:52 +0530 Subject: [PATCH] security: remove hardcoded Flask secret key and load from environment (fixes #362) --- README.md | 10 ++++++++++ fri/server/main.py | 23 ++++++++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 37305503..ba7e8064 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,16 @@ _concore_ supports customization through configuration files in the `CONCOREPATH Tool paths can also be set via environment variables (e.g., `CONCORE_CPPEXE=/usr/bin/g++`). Priority: config file > env var > defaults. +### Security Configuration + +Set a secure secret key for the Flask server before running in production: + +```bash +export FLASK_SECRET_KEY=$(python -c "import secrets; print(secrets.token_hex(32))") +``` + +Do **NOT** commit your secret key to version control. If `FLASK_SECRET_KEY` is not set, a temporary random key will be generated automatically (suitable for local development only). + For a detailed and more scientific documentation, please read our extensive [open-access research paper on CONTROL-CORE](https://doi.org/10.1109/ACCESS.2022.3161471). This paper has a complete discussion on the CONTROL-CORE architecture and deployment, together with the commands to execute the studies in different programming languages and programming environments (Ubuntu, Windows, MacOS, Docker, and distributed execution). diff --git a/fri/server/main.py b/fri/server/main.py index c2e1e659..243d562f 100644 --- a/fri/server/main.py +++ b/fri/server/main.py @@ -2,6 +2,7 @@ from werkzeug.utils import secure_filename import xml.etree.ElementTree as ET import os +import secrets import subprocess from subprocess import call,check_output from pathlib import Path @@ -86,15 +87,19 @@ def get_error_output(e): app = Flask(__name__) -secret_key = os.environ.get("FLASK_SECRET_KEY") -if not secret_key: - # In production, require an explicit FLASK_SECRET_KEY to be set. - # For local development and tests, fall back to a per-process random key - # so that importing this module does not fail hard. - if os.environ.get("FLASK_ENV") == "production": - raise RuntimeError("FLASK_SECRET_KEY environment variable not set in production") - secret_key = os.urandom(32) -app.secret_key = secret_key +app.secret_key = os.getenv("FLASK_SECRET_KEY") + +if not app.secret_key: + # In production, require an explicit secret key to avoid session issues + flask_env = os.getenv("FLASK_ENV", "").lower() + if flask_env in ("development", "dev") or app.debug: + # Generate temporary key for development environments where a secret key + # has not been explicitly configured. + app.secret_key = secrets.token_hex(32) + else: + raise RuntimeError( + "FLASK_SECRET_KEY environment variable must be set in production." + ) cors = CORS(app) app.config['CORS_HEADERS'] = 'Content-Type'