Security Audit of 6 Python Projects: 25 Issues Found & Fixed

Published on: 2026-06-06

Reading time: 8 min

Tags: #security #python #audit #devops

Overview

Over 3 months, I developed and audited 6 Python projects (3 bots + 3 libraries): a FastAPI + Telegram Bot + LLM integration system. I discovered 25 security/code issues and fixed 23 immediately.

• Audit scope: 91 Python files
• Issues found: 25 (5 critical, 18 medium, 2 minor)
• Fix rate: 92% (23/25)

Critical Issues - 5

1. API Keys Exposed in Git History 🔴

Problem: Anthropic, Supabase, and Telegram API keys committed in .env file

# ❌ Exposed (visible in git log)
ANTHROPIC_API_KEY=sk-ant-api03-xxxxxxxxxx
SUPABASE_KEY=sb_publishable_xxxxxxxxxx

Risk: Anyone can access previous commits and steal API keys → resource abuse, data breach

Solution:

# 1. Clean history with BFG
bfg --delete-files ".env" --no-blob-protection .

# 2. Remove from Git
git rm --cached .env
echo ".env" >> .gitignore

# 3. Rotate API keys (mandatory)

2. SSL Verification Disabled (MITM Attack Risk) 🔴

Problem: verify=False used in 10 places

# ❌ Insecure
response = requests.get(url, verify=False)

# ✅ Secure
response = requests.get(url, verify=True)  # default

Impact: HTTPS man-in-the-middle attacks possible → sensitive data exposed

3. Overly Broad Exception Handling 🔴

Problem: except Exception silencing all errors (114 instances)

# ❌ No error tracking
try:
    result = await db_select("contests")
except Exception:
    print("failed")  # What error? Unknown.

# ✅ Specific handling
try:
    result = await db_select("contests")
except requests.HTTPError as e:
    logger.error(f"DB error: {e}", exc_info=True)
    raise

Impact: Production incidents hard to debug → increased MTTR

4. Empty Library __init__.py Files

Problem: llm-router, supabase-async, telegram-agent had empty __init__.py

# ❌ Before (empty file)
# __init__.py

# ✅ After
from llm_router import LLMRouter
__version__ = "0.1.0"
__all__ = ["LLMRouter"]

Impact: Import failures after pip install

5. Indentation Error in Exception Handling

DB operations in ai-insight-curator's processor.py were outside try block → exceptions unhandled

Medium Issues - 18

Dependency Version Mismatches

• Anthropic: 0.25.0 / 0.34.0 → unified to 0.34.0
• Supabase: 2.0.0 / 2.4.0 → unified to 2.4.0
• Python: 3.9 / 3.11 → unified to 3.11 (3.9 EOL: Oct 2025)

Missing Input Validation

• /contests?status=invalid&limit=999 accepted without checks
• Fixed: status enum validation, limit range (1-100)

Documentation Drift

• ai-insight-curator README mentioned FastAPI → actually pure Telegram Bot
• Implementation status unclear

Stats

Metric	Value
New commits	15
Files modified	22
Code deleted	347 lines
Code added	200 lines
Tests passed	91/91 files ✅

Key Lessons

1. Security from day one: Add .env to .gitignore before first commit
2. Explicit versioning: Pin all dependencies (avoid >=)
3. Specific exceptions: Use HTTPError, ValueError — never bare Exception
4. Regular audits: Schedule security reviews every 3-6 months

Action Checklist

Urgent (24 hours):

• [ ] Rotate API keys (Anthropic/Supabase/Telegram)

High (1 week):

• [ ] Verify SSL verification is enabled everywhere
• [ ] Replace broad Exception catches with specific types

Medium (2 weeks):

• [ ] Audit all exception handling
• [ ] Set up quarterly security reviews

Ongoing:

• [ ] Document lessons learned
• [ ] Apply to next projects

Conclusion

In 3 months: 23 issues found and fixed.

If we'd done security right from day one:

• Audit time: 0 hours
• Cost: $0
• Deployment delays: 0 days

The most important step: Start now. Every fix prevents future incidents.