{"slug": "security-audit-of-6-python-projects-25-issues-found-fixed", "title": "Security Audit of 6 Python Projects: 25 Issues Found & Fixed", "summary": "A developer audited six Python projects—three bots and three libraries—over three months, uncovering 25 security and code issues, 23 of which were fixed immediately. Critical problems included exposed API keys for Anthropic, Supabase, and Telegram in committed `.env` files, `verify=False` in 10 HTTP request locations enabling man-in-the-middle attacks, and 114 instances of bare `except Exception` blocks that silenced errors and hindered debugging. The fixes involved cleaning git history, rotating keys, enforcing HTTPS verification, and replacing generic exception handlers with specific types like `HTTPError` and `ValueError`.", "body_md": "**Published on**: 2026-06-06\n\n**Reading time**: 8 min\n\n**Tags**: #security #python #audit #devops\n\nOver 3 months, I developed and audited 6 Python projects (3 bots + 3 libraries): a FastAPI + Telegram Bot + LLM integration system. I discovered 25 security/code issues and fixed 23 immediately.\n\n**Problem**: Anthropic, Supabase, and Telegram API keys committed in `.env`\n\nfile\n\n```\n# ❌ Exposed (visible in git log)\nANTHROPIC_API_KEY=sk-ant-api03-xxxxxxxxxx\nSUPABASE_KEY=sb_publishable_xxxxxxxxxx\n```\n\n**Risk**: Anyone can access previous commits and steal API keys → resource abuse, data breach\n\n**Solution**:\n\n```\n# 1. Clean history with BFG\nbfg --delete-files \".env\" --no-blob-protection .\n\n# 2. Remove from Git\ngit rm --cached .env\necho \".env\" >> .gitignore\n\n# 3. Rotate API keys (mandatory)\n```\n\n**Problem**: `verify=False`\n\nused in 10 places\n\n```\n# ❌ Insecure\nresponse = requests.get(url, verify=False)\n\n# ✅ Secure\nresponse = requests.get(url, verify=True)  # default\n```\n\n**Impact**: HTTPS man-in-the-middle attacks possible → sensitive data exposed\n\n**Problem**: `except Exception`\n\nsilencing all errors (114 instances)\n\n```\n# ❌ No error tracking\ntry:\n    result = await db_select(\"contests\")\nexcept Exception:\n    print(\"failed\")  # What error? Unknown.\n\n# ✅ Specific handling\ntry:\n    result = await db_select(\"contests\")\nexcept requests.HTTPError as e:\n    logger.error(f\"DB error: {e}\", exc_info=True)\n    raise\n```\n\n**Impact**: Production incidents hard to debug → increased MTTR\n\n`__init__.py`\n\nFiles\n**Problem**: llm-router, supabase-async, telegram-agent had empty `__init__.py`\n\n``` python\n# ❌ Before (empty file)\n# __init__.py\n\n# ✅ After\nfrom llm_router import LLMRouter\n__version__ = \"0.1.0\"\n__all__ = [\"LLMRouter\"]\n```\n\n**Impact**: Import failures after pip install\n\nDB operations in ai-insight-curator's processor.py were outside try block → exceptions unhandled\n\n`/contests?status=invalid&limit=999`\n\naccepted without checks| Metric | Value |\n|---|---|\n| New commits | 15 |\n| Files modified | 22 |\n| Code deleted | 347 lines |\n| Code added | 200 lines |\n| Tests passed | 91/91 files ✅ |\n\n`.env`\n\nto `.gitignore`\n\nbefore first commit`>=`\n\n)`HTTPError`\n\n, `ValueError`\n\n— never bare `Exception`\n\n**Urgent (24 hours)**:\n\n**High (1 week)**:\n\n`Exception`\n\ncatches with specific types**Medium (2 weeks)**:\n\n**Ongoing**:\n\n**In 3 months: 23 issues found and fixed.**\n\nIf we'd done security right from day one:\n\n**The most important step: Start now.** Every fix prevents future incidents.", "url": "https://wpnews.pro/news/security-audit-of-6-python-projects-25-issues-found-fixed", "canonical_source": "https://dev.to/justjinoit/security-audit-of-6-python-projects-25-issues-found-fixed-329", "published_at": "2026-06-06 09:46:16+00:00", "updated_at": "2026-06-06 10:11:46.556051+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-infrastructure", "mlops"], "entities": ["Anthropic", "Supabase", "Telegram", "FastAPI", "BFG"], "alternates": {"html": "https://wpnews.pro/news/security-audit-of-6-python-projects-25-issues-found-fixed", "markdown": "https://wpnews.pro/news/security-audit-of-6-python-projects-25-issues-found-fixed.md", "text": "https://wpnews.pro/news/security-audit-of-6-python-projects-25-issues-found-fixed.txt", "jsonld": "https://wpnews.pro/news/security-audit-of-6-python-projects-25-issues-found-fixed.jsonld"}}