From f798b98769461aecb3560c77852eb37f17621ff1 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Thu, 25 Jun 2026 11:13:41 -0700 Subject: [PATCH] fix(security): hardcoded encryption key in encryptioncodec The `EncryptionCodec` class in `encryption/codec.py` contains a hardcoded default encryption key (`default_key = b"test-key-test-key-test-key-test!"`) and key ID (`default_key_id = "test-key-id"`). This is a critical security vulnerability as it allows anyone with access to the code to decrypt payloads. The key is also only 32 bytes which while acceptable for AES-256, the hardcoded nature makes it completely insecure for any real usage. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- encryption/codec.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/encryption/codec.py b/encryption/codec.py index 9f79526f..2a9c92e4 100644 --- a/encryption/codec.py +++ b/encryption/codec.py @@ -5,12 +5,8 @@ from temporalio.api.common.v1 import Payload from temporalio.converter import PayloadCodec -default_key = b"test-key-test-key-test-key-test!" -default_key_id = "test-key-id" - - class EncryptionCodec(PayloadCodec): - def __init__(self, key_id: str = default_key_id, key: bytes = default_key) -> None: + def __init__(self, key_id: str, key: bytes) -> None: super().__init__() self.key_id = key_id # We are using direct AESGCM to be compatible with samples from