From d5eb57a23b8d4f157f68848e56dcd76e21249883 Mon Sep 17 00:00:00 2001
From: Wyatt Walter <wyattwalter@gmail.com>
Date: Wed, 18 Mar 2026 16:04:40 -0500
Subject: [PATCH] chore: set password on embedded Redis instance

Generate a random password for the embedded Redis when running locally,
following the same pattern used for MongoDB, Postgres, and Supervisor
credentials. Existing installs are backfilled on next startup.

The Redis server config is written to a file rather than passed via CLI
args to keep the password out of the process list.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 deploy/docker/fs/opt/appsmith/entrypoint.sh   | 33 ++++++++++++++++++-
 .../fs/opt/appsmith/templates/docker.env.sh   |  4 ++-
 .../appsmith/templates/supervisord/redis.conf |  2 +-
 3 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/deploy/docker/fs/opt/appsmith/entrypoint.sh b/deploy/docker/fs/opt/appsmith/entrypoint.sh
index ed569fd28212..00f1920f5e2a 100644
--- a/deploy/docker/fs/opt/appsmith/entrypoint.sh
+++ b/deploy/docker/fs/opt/appsmith/entrypoint.sh
@@ -102,8 +102,29 @@ init_env_file() {
       tr -dc A-Za-z0-9 </dev/urandom | head -c 13
       echo ''
     )
+    local generated_appsmith_redis_password=$(
+      tr -dc A-Za-z0-9 </dev/urandom | head -c 13
+      echo ''
+    )
 
-    bash "$TEMPLATES_PATH/docker.env.sh" "$default_appsmith_mongodb_user" "$generated_appsmith_mongodb_password" "$generated_appsmith_encryption_password" "$generated_appsmith_encription_salt" "$generated_appsmith_supervisor_password" > "$ENV_PATH"
+    bash "$TEMPLATES_PATH/docker.env.sh" "$default_appsmith_mongodb_user" "$generated_appsmith_mongodb_password" "$generated_appsmith_encryption_password" "$generated_appsmith_encription_salt" "$generated_appsmith_supervisor_password" "$generated_appsmith_redis_password" > "$ENV_PATH"
+  else
+    tlog "Configuration file already exists"
+    # Backfill APPSMITH_REDIS_PASSWORD for existing installs that don't have it yet.
+    # Only inject auth into the Redis URL when it points to the embedded (localhost) Redis.
+    if ! grep -q "APPSMITH_REDIS_PASSWORD" "$ENV_PATH"; then
+      local generated_appsmith_redis_password=$(
+        tr -dc A-Za-z0-9 </dev/urandom | head -c 13
+        echo ''
+      )
+      echo $'\nAPPSMITH_REDIS_PASSWORD='"$generated_appsmith_redis_password" >> "$ENV_PATH"
+      # Update the Redis URL to include the password, but only for the embedded Redis.
+      local current_redis_url
+      current_redis_url=$(grep "^APPSMITH_REDIS_URL=" "$ENV_PATH" | tail -1 | cut -d= -f2-)
+      if [[ "$current_redis_url" == *"localhost"* || "$current_redis_url" == *"127.0.0.1"* ]]; then
+        sed -i "s|^APPSMITH_REDIS_URL=.*|APPSMITH_REDIS_URL=redis://:${generated_appsmith_redis_password}@127.0.0.1:6379|" "$ENV_PATH"
+      fi
+    fi
   fi
 
   tlog "Load environment configuration"
@@ -424,6 +445,16 @@ configure_supervisord() {
     if [[ $APPSMITH_REDIS_URL == *"localhost"* || $APPSMITH_REDIS_URL == *"127.0.0.1"* ]]; then
       cp "$supervisord_conf_source/redis.conf" "$SUPERVISORD_CONF_TARGET"
       mkdir -p "$stacks_path/data/redis"
+      # Write Redis server config so the password is not visible in the process list.
+      # Placed in $TMP so it is regenerated each startup.
+      cat > "$TMP/redis.conf" <<REDIS_CONF
+save 15 1
+dir /appsmith-stacks/data/redis
+daemonize no
+logfile ""
+requirepass ${APPSMITH_REDIS_PASSWORD:-}
+REDIS_CONF
+      chmod 600 "$TMP/redis.conf"
     fi
     if [[ $runEmbeddedPostgres -eq 1 ]]; then
       cp "$supervisord_conf_source/postgres.conf" "$SUPERVISORD_CONF_TARGET"
diff --git a/deploy/docker/fs/opt/appsmith/templates/docker.env.sh b/deploy/docker/fs/opt/appsmith/templates/docker.env.sh
index abab8bcc9e3b..85e19417f099 100644
--- a/deploy/docker/fs/opt/appsmith/templates/docker.env.sh
+++ b/deploy/docker/fs/opt/appsmith/templates/docker.env.sh
@@ -6,6 +6,7 @@ DB_PASSWORD="$2"
 ENCRYPTION_PASSWORD="$3"
 ENCRYPTION_SALT="$4"
 SUPERVISOR_PASSWORD="$5"
+REDIS_PASSWORD="${6:-}"
 
 cat <<EOF
 # Sentry
@@ -63,7 +64,8 @@ APPSMITH_POSTGRES_DB_URL=postgresql://appsmith:$DB_PASSWORD@localhost:5432/appsm
 APPSMITH_MONGODB_USER=$MONGO_USER
 APPSMITH_MONGODB_PASSWORD=$DB_PASSWORD
 
-APPSMITH_REDIS_URL=redis://127.0.0.1:6379
+APPSMITH_REDIS_URL=redis://:$REDIS_PASSWORD@127.0.0.1:6379
+APPSMITH_REDIS_PASSWORD=$REDIS_PASSWORD
 
 APPSMITH_ENCRYPTION_PASSWORD=$ENCRYPTION_PASSWORD
 APPSMITH_ENCRYPTION_SALT=$ENCRYPTION_SALT
diff --git a/deploy/docker/fs/opt/appsmith/templates/supervisord/redis.conf b/deploy/docker/fs/opt/appsmith/templates/supervisord/redis.conf
index c157ab7b4fe1..3c6cdd5d643b 100644
--- a/deploy/docker/fs/opt/appsmith/templates/supervisord/redis.conf
+++ b/deploy/docker/fs/opt/appsmith/templates/supervisord/redis.conf
@@ -1,7 +1,7 @@
 [program:redis]
 ; The `--save` is for saving session data to disk more often, so recent sessions aren't cleared on restart.
 ; The empty string to `--logfile` is for logging to stdout so that supervisor can capture it.
-command=redis-server --save 15 1 --dir /appsmith-stacks/data/redis --daemonize no --logfile ""
+command=redis-server %(ENV_TMP)s/redis.conf
 autorestart=true
 autostart=true
 priority=5