Files
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

119 lines
4.5 KiB
Python

"""Configuration settings for CloudSwag Demo"""
import os
from pathlib import Path
from dotenv import load_dotenv
# Load environment variables
load_dotenv()
# Base paths
PROJECT_ROOT = Path(__file__).parent.parent
DATA_DIR = PROJECT_ROOT / "data"
POLICIES_DIR = DATA_DIR / "policies"
# Database
SWAG_DB_PATH = PROJECT_ROOT / os.getenv("SWAG_DB_PATH", "data/swag_store.db")
# JWT Configuration
JWT_SECRET = os.getenv("JWT_SECRET", "cloudswag-secret-change-in-production")
JWT_ALGORITHM = os.getenv("JWT_ALGORITHM", "HS256")
# MCP Server Configuration
# SQLite MCP server can be installed via: uvx mcp-server-sqlite
# Using uvx to run the published package instead of a local script
USE_UVX_SQLITE = os.getenv("USE_UVX_SQLITE", "true").lower() == "true"
SQLITE_MCP_SERVER = Path(
os.getenv("SQLITE_MCP_SERVER", "")
) # Only used if USE_UVX_SQLITE=false
# Anthropic
ANTHROPIC_API_KEY = os.getenv("ANTHROPIC_API_KEY")
# =============================================================================
# SECURITY LEVELS - OWASP API Security Top 10 Vulnerability Configuration
# =============================================================================
# Levels: 1 = Weak (easily exploitable), 2 = Medium (bypassable), 3 = Strong (secure)
# API1: Broken Object Level Authorization (BOLA)
# Level 1: No enforcement, system prompt only
# Level 2: Blacklist filter on other user IDs
# Level 3: Auto-inject user_id filter at database layer
SECURITY_BOLA = int(os.getenv("SECURITY_BOLA", "1"))
# API2: Broken Authentication
# Level 1: Accept unsigned JWTs (alg:none), no re-validation on tool calls
# Level 2: Weak secret, no expiry check
# Level 3: Strong secret, expiry enforced, signature required
SECURITY_AUTH = int(os.getenv("SECURITY_AUTH", "1"))
# API3: Broken Object Property Level Authorization
# Level 1: All columns exposed (cost_price, profit_margin, salary, ssn)
# Level 2: SELECT * blocked, but direct column queries allowed
# Level 3: Column whitelist enforced
SECURITY_PROPERTY_AUTH = int(os.getenv("SECURITY_PROPERTY_AUTH", "1"))
# API5: Broken Function Level Authorization
# Level 1: Admin tools visible and functional for all users
# Level 2: Admin tools hidden but functional if discovered
# Level 3: Admin tools filtered out for non-admin users
SECURITY_FUNCTION_AUTH = int(os.getenv("SECURITY_FUNCTION_AUTH", "1"))
# API7: Server Side Request Forgery (SSRF)
# Level 1: Fetch tool accepts ANY URL (including internal metadata)
# Level 2: Blacklist blocks common internal IPs but has bypasses
# Level 3: Whitelist only allows specific mock service URLs
SECURITY_SSRF = int(os.getenv("SECURITY_SSRF", "1"))
# API8: Security Misconfiguration
# Level 1: Debug endpoints exposed, verbose errors, JWT secret in logs
# Level 2: Debug requires key but key is leaked in error messages
# Level 3: No debug endpoints, sanitized errors
SECURITY_MISCONFIGURATION = int(os.getenv("SECURITY_MISCONFIGURATION", "1"))
# API9: Improper Inventory Management
# Level 1: Legacy v1 API exposed (no auth), mentioned in system prompt
# Level 2: Legacy v1 exists but not documented (discoverable)
# Level 3: Only current API version exists
SECURITY_INVENTORY = int(os.getenv("SECURITY_INVENTORY", "1"))
# API10: Unsafe Consumption of APIs
# Level 1: Blindly follow redirects, no response sanitization
# Level 2: Redirects limited to same domain, response not sanitized
# Level 3: No redirects followed, all external data sanitized
SECURITY_UNSAFE_CONSUMPTION = int(os.getenv("SECURITY_UNSAFE_CONSUMPTION", "1"))
# SSRF Protection Lists
SSRF_BLACKLIST = [
"169.254.169.254", # AWS metadata
"metadata.google.internal", # GCP metadata
"metadata.azure.com", # Azure metadata
]
SSRF_WHITELIST = [
"http://localhost:8000/mock/shipping/",
"http://localhost:8000/mock/weather/",
"http://localhost:8000/mock/promotions/",
]
# Sensitive columns that should be protected (API3)
SENSITIVE_COLUMNS = {
"products": ["cost_price", "profit_margin", "supplier_id"],
"users": ["password_hash", "salary", "ssn_last_four"],
}
# Admin-only tools (API5)
ADMIN_TOOLS = [
"write_query",
"update_user_points",
"modify_order_status",
"delete_order",
]
# =============================================================================
# PROMPT DIFFICULTY - Controls how strict the system prompt is
# =============================================================================
# "easy" = Minimal security instructions, easier to jailbreak
# "hard" = Strong security instructions, harder to jailbreak (default)
PROMPT_DIFFICULTY = os.getenv("PROMPT_DIFFICULTY", "easy").lower()