Dear Netflix Security Team,
I am writing to responsibly disclose several security-hardening concerns identified within the public "Netflix/metaflow" repository, primarily affecting local development and devstack configuration files under "devtools/tilt/".
While these settings may be intended for local or non-production environments, the presence of static credentials and reusable cryptographic material in public repositories may increase the risk of accidental reuse, insecure deployments, or developer-environment compromise.
Observed Findings
- Static PostgreSQL Credentials
Location: "devtools/tilt/postgresql.tiltfile"
The repository contains hardcoded PostgreSQL authentication values, including:
- "auth.username"
- "auth.password"
- "auth.postgresPassword"
These appear to be default development credentials.
- Default Airflow Administrative Credentials
Location: "devtools/tilt/airflow.tiltfile"
The Airflow development environment appears configured with default administrative credentials ("admin/admin") for local access.
- Static Airflow Fernet Key
Location: "devtools/tilt/airflow.tiltfile"
A static "AIRFLOW_FERNET_KEY" is embedded directly within the repository.
Because Fernet keys are used to encrypt/decrypt sensitive Airflow metadata, reuse of this key outside isolated local environments could introduce risk.
- Plain-text Development Secrets
Location: "devtools/tilt/k8s/minio-secret.yaml"
Static MinIO-style access credentials are stored directly in YAML configuration files intended for local orchestration.
- MD5 Usage for Identifier Generation
Location: "metaflow/plugins/airflow/airflow_utils.py"
The project appears to use "hashlib.md5" for internal identifier generation. While this may not be security-sensitive usage, documenting the use of deprecated hashing primitives may still be valuable for long-term hardening.
Proof of Review
The findings were identified through publicly accessible repository files and local validation only. No unauthorized access, production interaction, or destructive activity was performed.
Recommendations
- Replace static secrets with environment-based injection.
- Add clear warnings indicating credentials are for local development only.
- Rotate any secrets that may have been reused outside isolated environments.
- Consider adding automated secret-scanning protections for future commits.
- Evaluate whether Fernet keys should be dynamically generated during local setup.
Thank you for your time and for maintaining open-source infrastructure securely.
Best regards,
Md Jakariya
Security Researcher
Independent Security Researcher
Email: mdtanvir1234512345678900@gmail.com
Dear Netflix Security Team,
I am writing to responsibly disclose several security-hardening concerns identified within the public "Netflix/metaflow" repository, primarily affecting local development and devstack configuration files under "devtools/tilt/".
While these settings may be intended for local or non-production environments, the presence of static credentials and reusable cryptographic material in public repositories may increase the risk of accidental reuse, insecure deployments, or developer-environment compromise.
Observed Findings
Location: "devtools/tilt/postgresql.tiltfile"
The repository contains hardcoded PostgreSQL authentication values, including:
These appear to be default development credentials.
Location: "devtools/tilt/airflow.tiltfile"
The Airflow development environment appears configured with default administrative credentials ("admin/admin") for local access.
Location: "devtools/tilt/airflow.tiltfile"
A static "AIRFLOW_FERNET_KEY" is embedded directly within the repository.
Because Fernet keys are used to encrypt/decrypt sensitive Airflow metadata, reuse of this key outside isolated local environments could introduce risk.
Location: "devtools/tilt/k8s/minio-secret.yaml"
Static MinIO-style access credentials are stored directly in YAML configuration files intended for local orchestration.
Location: "metaflow/plugins/airflow/airflow_utils.py"
The project appears to use "hashlib.md5" for internal identifier generation. While this may not be security-sensitive usage, documenting the use of deprecated hashing primitives may still be valuable for long-term hardening.
Proof of Review
The findings were identified through publicly accessible repository files and local validation only. No unauthorized access, production interaction, or destructive activity was performed.
Recommendations
Thank you for your time and for maintaining open-source infrastructure securely.
Best regards,
Md Jakariya
Security Researcher
Independent Security Researcher
Email: mdtanvir1234512345678900@gmail.com