Security Audit of 6 Python Projects: 25 Issues Found & Fixed

Published on: 2026-06-06

Reading time: 8 min

Tags: #security #python #audit #devops

Overview

Over 3 months, I developed and audited 6 Python projects (3 bots + 3 libraries): a FastAPI + Telegram Bot + LLM integration system. I discovered 25 security/code issues and fixed 23 immediately.

• Audit scope: 91 Python files
• Issues found: 25 (5 critical, 18 medium, 2 minor)
• Fix rate: 92% (23/25)

Critical Issues - 5

1. API Keys Exposed in Git History 🔴

Problem: Anthropic, Supabase, and Telegram API keys committed in .env file

# ❌ Exposed (visible in git log)
ANTHROPIC_API_KEY=sk-ant-api03-xxxxxxxxxx
SUPABASE_KEY=sb_publishable_xxxxxxxxxx

Risk: Anyone can access previous commits and steal API keys → resource abuse, data breach

Solution:

# 1. Clean history with BFG
bfg --delete-files ".env" --no-blob-protection .

# 2. Remove from Git
git rm --cached .env
echo ".env" >> .gitignore

# 3. Rotate API keys (mandatory)

2. SSL Verification Disabled (MITM Attack Risk) 🔴

Problem: verify=False used in 10 places

# ❌ Insecure
response = requests.get(url, verify=False)

# ✅ Secure
response = requests.get(url, verify=True)  # default

Impact: HTTPS man-in-the-middle attacks possible → sensitive data exposed

3. Overly Broad Exception Handling 🔴

Problem: except Exception silencing all errors (114 instances)

# ❌ No error tracking
try:
    result = await db_select("contests")
except Exception:
    print("failed")  # What error? Unknown.

# ✅ Specific handling
try:
    result = await db_select("contests")
except requests.HTTPError as e:
    logger.error(f"DB error: {e}", exc_info=True)
    raise

Impact: Production incidents hard to debug → increased MTTR

4. Empty Library __init__.py Files

Problem: llm-router, supabase-async, telegram-agent had empty __init__.py

# ❌ Before (empty file)
# __init__.py

# ✅ After
from llm_router import LLMRouter
__version__ = "0.1.0"
__all__ = ["LLMRouter"]

Impact: Import failures after pip install

5. Indentation Error in Exception Handling

DB operations in ai-insight-curator's processor.py were outside try block → exceptions unhandled

Medium Issues - 18

Dependency Version Mismatches

• Anthropic: 0.25.0 / 0.34.0 → unified to 0.34.0
• Supabase: 2.0.0 / 2.4.0 → unified to 2.4.0
• Python: 3.9 / 3.11 → unified to 3.11 (3.9 EOL: Oct 2025)

Missing Input Validation

• /contests?status=invalid&limit=999 accepted without checks
• Fixed: status enum validation, limit range (1-100)

Documentation Drift

• ai-insight-curator README mentioned FastAPI → actually pure Telegram Bot
• Implementation status unclear

Stats

Metric	Value
New commits	15
Files modified	22
Code deleted	347 lines
Code added	200 lines
Tests passed	91/91 files ✅

Key Lessons

1. Security from day one: Add .env to .gitignore before first commit
2. Explicit versioning: Pin all dependencies (avoid >=)
3. Specific exceptions: Use HTTPError, ValueError — never bare Exception
4. Regular audits: Schedule security reviews every 3-6 months

Security Verification Complete (Post-Deployment)

Final Verification (June 7, 2026)

✅ API Key Rotation: Complete

• New Anthropic, Supabase, Telegram API keys generated
• Old keys deactivated

✅ .env File Security: NOT exposed to GitHub

git log --all --full-history -- ".env" # Result: nothing found
git ls-files | grep -i "env\|key\|token" # Result: .env.example only

✅ SSL Verification: Enabled everywhere (verify=True)

• contest-agent, supabase-async fully verified

✅ Exception Handling: All converted to specific exceptions

• 114 broad exceptions → specific exception types

✅ Deployment Status: 3 services running in production

• Lifelogger (port 8000): Daily auto-summaries
• Curator (port 8001): Daily RSS collection
• Contest Agent: Ready

---

Final Checklist

✅ Urgent (24 hours): API key rotation - DONE
✅ High (1 week): SSL verification - DONE
✅ Medium (2 weeks): Exception handling audit - DONE
✅ Ongoing: Quarterly security reviews - SCHEDULED

Conclusion

3 months development + security audit + deployment = COMPLETE

Lessons Learned

1. Security first: Add .env to .gitignore on day one ✅
2. Regular audits: Comprehensive security review every 3 months mandatory ✅
3. Automation: CI/CD pipeline for continuous validation ✅

Current Production Status

• GitHub: 0 sensitive information exposed ✅
• Deployment: 3 services running securely ✅
• Cost: $0/month (completely free deployment) ✅
• Availability: 99.9% (Oracle Cloud Always Free tier) ✅

Security achieved. Now operating in production.