Backend index tweak#5
Conversation
Desktop-synced iCloud creates copies like 'AGENTS 2.md' and 'next.config 2.ts' that keep landing in git status. Ignore the pattern so they stop appearing.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| const app = express(); | ||
| connectDB(); | ||
|
|
There was a problem hiding this comment.
🔴 [critical] Hardcoded MongoDB connection string with embedded credentials
A MongoDB Atlas connection URI containing a username and password is hardcoded directly in source code and committed to the repository.
Why it matters: Anyone with read access to this repository can extract the database credentials and gain full access to the MongoDB cluster, potentially reading, modifying, or deleting all health tracker data.
Suggested fix:
Remove the hardcoded URI immediately. Store the connection string in an environment variable (e.g., MONGO_URI) and load it via process.env.MONGO_URI. Rotate the database password now, as it must be considered compromised. Add .env to .gitignore to prevent future leaks.
CodeGuard · security
| const app = express(); | ||
| connectDB(); | ||
|
|
||
| const MONGO_URI = 'mongodb+srv://mayanksaini0416_db_user:%40Mayank0416@cluster0.v0rdlpc.mongodb.net/smart-health-tracker'; |
There was a problem hiding this comment.
🔴 [critical] Credentials logged to console output
The hardcoded connection string (including username and password) is passed directly to console.log, meaning credentials will appear in any log aggregation system, CI output, or terminal history.
Why it matters: Credentials will be persisted in log files, monitoring dashboards, and CI/CD pipeline logs, dramatically widening the exposure surface beyond just the git history.
Suggested fix:
Remove the console.log statement entirely. If connection diagnostics are needed, log only a sanitized indicator such as console.log('MONGO_URI configured:', !!process.env.MONGO_URI).
CodeGuard · security
codeguard Review · v0.1.0🔴 Changes requested Findings: 2 critical · 0 warning · 0 suggestion · 0 nit SummaryThis PR introduces a blank line but also exposes a hardcoded MongoDB Atlas connection URI containing plaintext credentials directly in source code, and then logs those credentials to the console. Both findings are critical security issues. The database password must be rotated immediately as it is now committed to git history and cannot be fully removed by a follow-up commit alone. The credentials should be moved to environment variables, the console.log removed, and the team should audit whether the repository is public or has been forked. This PR must not be merged. Top findings
This review was generated by CodeGuard, a git-native AI PR reviewer. |
1 participant
No description provided.