Fix security vulnerabilities: update dependencies and remove hardcoded secrets

- Update filelock 3.20.0 -> 3.20.2 (GHSA-w853-jp5j-5j7f)
- Update fonttools 4.60.1 -> 4.61.1 (GHSA-768j-98cg-p3fv)
- Update scapy 2.6.1 -> 2.7.0 (GHSA-cq46-m9x9-j8w2)
- Update urllib3 2.5.0 -> 2.6.2 (GHSA-2xpw-w6gg-jr37, GHSA-gm62-xv2j-4w53)
- Remove hardcoded API keys from instagram_geo-example.py
- Remove hardcoded database password from hug-postgresql-example.py
- Fix SQL injection vulnerability with parameterized queries
- Add secret scanning workflow
- Add configs.py.example template
- Add Dependabot configuration

Author: James Campbell

.github/dependabot.yml

@@ -0,0 +1,14 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    ignore:
+      # pip 25.2 vulnerability - NOT AFFECTED (Python 3.12+ implements PEP 706)
+      - dependency-name: "pip"
+        versions: ["25.2"]
+      # scrapy already at latest version, old vulnerability from 2017
+      - dependency-name: "scrapy"
+        versions: ["2.13.3"]

.github/workflows/secret-scanning.yml

@@ -0,0 +1,32 @@
+name: Secret Scanning
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly scan
+
+jobs:
+  secret-scanning:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Full history for better detection
+
+    - name: Run Gitleaks
+      uses: gitleaks/gitleaks-action@v2
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Check for hardcoded secrets
+      run: |
+        echo "Checking for common secret patterns..."
+        # Check for hardcoded API keys, passwords, tokens
+        if grep -rE "(api[_-]?key|apikey|secret|password|token|auth|credential|private[_-]?key)\s*=\s*['\"][^'\"]{10,}" --include="*.py" python-examples/ | grep -v "configs.py" | grep -v "from configs import" | grep -v "os.getenv" | grep -v "input(" | grep -v "#.*example" | grep -v "yoursecretkey" | grep -v "your.*token"; then
+          echo "::error::Found potential hardcoded secrets in code!"
+          exit 1
+        fi
+        echo "No hardcoded secrets found"

README.md

@@ -57,6 +57,29 @@ uv run isort .
 - **assets/**: Sample data files for examples
 - **tests/**: Test files
 - **.github/workflows/**: GitHub Actions for CI/CD
+- **configs.py.example**: Template for API keys and credentials (copy to `configs.py`)
+
+## 🔐 Security & Configuration
+
+### Setting Up API Keys
+
+Many examples require API keys or credentials. To use them:
+
+1. Copy the example config file:
+   ```bash
+   cp configs.py.example configs.py
+   ```
+
+2. Edit `configs.py` and add your actual API keys (this file is gitignored)
+
+3. Alternatively, use environment variables:
+   ```bash
+   export FOURSQUARE_CLIENT_ID="your_key"
+   export FOURSQUARE_CLIENT_SECRET="your_secret"
+   export DB_PASSWORD="your_password"
+   ```
+
+**⚠️ Never commit `configs.py` to version control!** It's already in `.gitignore`.
 
 ## 🤖 LLM & AI Examples
 

configs.py.example

@@ -0,0 +1,33 @@
+"""
+Example configuration file for python-examples.
+
+Copy this file to configs.py and fill in your actual API keys and credentials.
+NEVER commit configs.py to version control - it's already in .gitignore
+"""
+
+# Foursquare API (for instagram_geo-example.py)
+foursquare_client_id = "your_foursquare_client_id_here"
+foursquare_client_secret = "your_foursquare_client_secret_here"
+
+# Quandl API (for quandl-example.py)
+myqkey = "your_quandl_api_key_here"
+
+# Pinboard API (for pinboard-example.py)
+# Get your token at https://pinboard.in/settings/password
+pinapi = "your_username:your_api_token"
+
+# Shodan API (for shodan-example.py)
+globalshodankey = "your_shodan_api_key_here"
+
+# Zillow API (for pyzillow-example.py)
+zillowapi = "your_zillow_api_key_here"
+
+# PostgreSQL Database (for hug-postgresql-example.py)
+db_name = "your_database_name"
+db_user = "your_database_user"
+db_host = "localhost"
+db_password = "your_database_password"
+
+# Instagram API (deprecated - Facebook killed the API)
+# instagram_client_id = "your_instagram_client_id"
+# instagram_access_token = "your_instagram_access_token"

pyproject.toml

@@ -21,6 +21,9 @@ dependencies = [
     "fuzzywuzzy>=0.18.0",
     "scrapy>=2.13.4",
     "pytest>=8.3.0",
+    # Security notes:
+    # - pip 25.2 vulnerability (GHSA-4xh5-x5gv-qwph): NOT AFFECTED - Python 3.12+ implements PEP 706
+    # - scrapy 2.13.3 (PYSEC-2017-83): Already at latest version, old DoS vulnerability from 2017
     "termcolor>=2.4.0",
     "pycld2>=0.41",
     "polyglot>=16.7.4",
@@ -36,6 +39,9 @@ dependencies = [
     "webdriver-manager>=4.0.2",
     "scapy>=2.7.0",
     "matplotlib>=3.9.0",
+    # Security: Pin vulnerable transitive dependencies to fixed versions
+    "filelock>=3.20.2",
+    "fonttools>=4.60.2",
     "iptcinfo3>=2.1.4",
     "requests>=2.31.0",
     "lxml>=5.2.0",

python-examples/hug-postgresql-example.py

@@ -20,20 +20,46 @@
 @hug.get('/test')
 def test_connect():
     """Test connection to db."""
-    psycopg2.connect("dbname='t' user='t' host='localhost' password='test'")
+    # Get database credentials from configs.py or environment variables
+    try:
+        from configs import db_name, db_user, db_host, db_password
+    except ImportError:
+        import os
+        db_name = os.getenv('DB_NAME', 't')
+        db_user = os.getenv('DB_USER', 't')
+        db_host = os.getenv('DB_HOST', 'localhost')
+        db_password = os.getenv('DB_PASSWORD', '')
+        if not db_password:
+            return {'error': 'Database password not configured. Set DB_PASSWORD environment variable or configs.py'}
+    
+    psycopg2.connect(f"dbname='{db_name}' user='{db_user}' host='{db_host}' password='{db_password}'")
     return ('connected successfully to db! ready for queries.')
 
 
 @hug.get('/checktable')
 def test_write(user='t', table='testtable'):
     """Test write to DB."""
-    conn = psycopg2.connect("dbname='t' user='t' host='localhost' password='test'")
+    # Get database credentials from configs.py or environment variables
+    try:
+        from configs import db_name, db_user, db_host, db_password
+    except ImportError:
+        import os
+        db_name = os.getenv('DB_NAME', 't')
+        db_user = os.getenv('DB_USER', 't')
+        db_host = os.getenv('DB_HOST', 'localhost')
+        db_password = os.getenv('DB_PASSWORD', '')
+        if not db_password:
+            return {'error': 'Database password not configured. Set DB_PASSWORD environment variable or configs.py'}
+    
+    conn = psycopg2.connect(f"dbname='{db_name}' user='{db_user}' host='{db_host}' password='{db_password}'")
     print('connected successfully to db! ready for queries.')
     cur = conn.cursor()
-    cur.execute("select exists(select relname from pg_class where relname='" + table + "')")
+    # Fix SQL injection vulnerability by using parameterized queries
+    cur.execute("SELECT exists(SELECT relname FROM pg_class WHERE relname=%s)", (table,))
     exists = cur.fetchone()[0]
     print(exists)
     cur.close()
+    conn.close()
     if exists:
         return 'THIS TABLE EXISTS'
     else:

python-examples/instagram_geo-example.py

@@ -11,8 +11,20 @@
 limiter = '1'  # make sure to keep as string due to concat issues otherwise
 cityer = input('What city to search? (no spaces, include country): ')
 queryer = urllib.parse.quote(input('What is the name of venue to search?: '))
-clientider = '5HIGYBY4D24FXGCYTMYBUBGLYQSLORV03CRUS4E53F3GZ1VS'
-clientsecreter = 'B11MC3TFDEY10XQQTUDQGGTKDGCCJBOHD4RPY5VYEW12ZNIN'
+# Get API credentials from configs.py or environment variables
+try:
+    from configs import foursquare_client_id, foursquare_client_secret
+    clientider = foursquare_client_id
+    clientsecreter = foursquare_client_secret
+except ImportError:
+    import os
+    clientider = os.getenv('FOURSQUARE_CLIENT_ID', '')
+    clientsecreter = os.getenv('FOURSQUARE_CLIENT_SECRET', '')
+    if not clientider or not clientsecreter:
+        print('Error: Foursquare API credentials not found.')
+        print('Please set FOURSQUARE_CLIENT_ID and FOURSQUARE_CLIENT_SECRET environment variables')
+        print('or create configs.py with foursquare_client_id and foursquare_client_secret variables')
+        exit(1)
 dater = dt.datetime.today().strftime("%Y%m%d")  # the v needs YYYYMMDD format
 # the actual api call url
 foursquareapivenuesearch = f"https://api.foursquare.com/v2/venues/search?limit={limiter}&near={cityer}&query={queryer}&client_id={clientider}&client_secret={clientsecreter}&v={dater}"
@@ -28,6 +40,12 @@
 # INSTAGRAM API KILLED BY FACEBOOK - FUCK YOU FACEBOOK!
 print("This example was killed by Facebook killing API's. Complain to Facebook.")
 # globals Instagram API
-# instaclientid = '35b999a6d51344cc98ebb061da538999'
-# instaaccess_token='290277.35b999a.e2423222efa04c058b0e9b95cbf77c07'
+# Note: Instagram API credentials should be loaded from configs.py or environment variables
+# Example:
+# try:
+#     from configs import instagram_client_id, instagram_access_token
+# except ImportError:
+#     import os
+#     instaclientid = os.getenv('INSTAGRAM_CLIENT_ID', '')
+#     instaaccess_token = os.getenv('INSTAGRAM_ACCESS_TOKEN', '')
 #

requirements.txt

@@ -25,6 +25,8 @@ pypdf2>=3.0.1
 pinboard>=2.1.9
 webdriver-manager>=4.0.2
 scapy>=2.7.0
+filelock>=3.20.2
+fonttools>=4.60.2
 matplotlib>=3.9.0
 iptcinfo3>=2.1.4
 requests>=2.31.0