bc1bb/OpenLink
1
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity Actions

Hardcoded weak database credentials committed to the repository in docker-compose.yml #6

New issue
Open
opened 2026-05-14 20:30:04 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 20:30:04 +02:00
Copy link

Problem

docker-compose.yml hard-codes plaintext database credentials for both the application user and the MySQL root account. The same trivially guessable string is used as the database name, user, and password (onlk/onlk), and the root password is barely stronger (onlkroot).

Location

docker-compose.yml, lines 8–11 (environment block for the database service) and line 32 (DATABASE_URL env var for the onlk service):

MYSQL_USER: onlk
MYSQL_PASSWORD: onlk
MYSQL_DATABASE: onlk
MYSQL_ROOT_PASSWORD: onlkroot
DATABASE_URL: mysql://onlk:onlk@database:3306/onlk?...

Risk

Anyone with read access to the repository has working credentials to the database. Because the root password is also exposed, an attacker with network access to the database port can gain full administrative control over the MySQL instance — reading, modifying, or deleting all stored links.

Suggested fix direction

Move credentials out of the compose file and into a .env file that is .gitignored. The deploy script already randomises APP_SECRET via sed; apply the same treatment to database passwords.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem `docker-compose.yml` hard-codes plaintext database credentials for both the application user and the MySQL root account. The same trivially guessable string is used as the database name, user, and password (`onlk`/`onlk`), and the root password is barely stronger (`onlkroot`). ## Location `docker-compose.yml`, lines 8–11 (environment block for the `database` service) and line 32 (`DATABASE_URL` env var for the `onlk` service): ```yaml MYSQL_USER: onlk MYSQL_PASSWORD: onlk MYSQL_DATABASE: onlk MYSQL_ROOT_PASSWORD: onlkroot DATABASE_URL: mysql://onlk:onlk@database:3306/onlk?... ``` ## Risk Anyone with read access to the repository has working credentials to the database. Because the root password is also exposed, an attacker with network access to the database port can gain full administrative control over the MySQL instance — reading, modifying, or deleting all stored links. ## Suggested fix direction Move credentials out of the compose file and into a `.env` file that is `.gitignore`d. The deploy script already randomises `APP_SECRET` via `sed`; apply the same treatment to database passwords. ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
develop
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLink#6
No description provided.