Skip to content

fix: restrict config discovery to home directory only#142

Merged
MattDevy merged 3 commits into
mainfrom
fix/tighten-config-discovery
Apr 14, 2026
Merged

fix: restrict config discovery to home directory only#142
MattDevy merged 3 commits into
mainfrom
fix/tighten-config-discovery

Conversation

@MattDevy
Copy link
Copy Markdown
Contributor

@MattDevy MattDevy commented Apr 14, 2026

Summary

Proposal to tighten config file discovery, based on the security concerns raised in #128 (comment).

Previously, cosmiconfig walked from cwd upward through every parent directory toward $HOME, loading the first .elasticrc.yml found. A malicious config placed in a shared directory (e.g. /tmp, a cloned repo, a mounted volume) could hijack the CLI to redirect credentials to an attacker-controlled server or exfiltrate secrets via auth headers.

Changes:

  • Config discovery now only checks the home directory (~/.elasticrc.yml and variants)
  • --config-file <path> flag continues to work for explicit overrides
  • New ELASTIC_CLI_CONFIG_FILE env var as an alternative to the flag
  • Precedence: --config-file > ELASTIC_CLI_CONFIG_FILE > home-directory discovery
  • Removed searchStrategy: 'global' and directory-walking search() from cosmiconfig usage
  • Dropped package.json as a config source (only relevant with directory walking)
  • Updated README to reflect the new behavior

Test plan

  • Verify npm test passes (639 tests, 0 failures)
  • Verify config in $HOME is discovered when no flag/env var is set
  • Verify config in a parent directory of cwd is NOT discovered (security regression test included)
  • Verify --config-file /path/to/config.yml loads the explicit file
  • Verify ELASTIC_CLI_CONFIG_FILE=/path/to/config.yml loads the explicit file
  • Verify --config-file takes precedence over ELASTIC_CLI_CONFIG_FILE

@MattDevy MattDevy requested a review from JoshMock April 14, 2026 11:01
@MattDevy MattDevy mentioned this pull request Apr 14, 2026
Merged
4 tasks
JoshMock
JoshMock approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@JoshMock JoshMock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but waiting to merge in case dropping cosmiconfig is something worth doing first.

Comment thread src/config/loader.ts
*/

import { access, constants } from 'node:fs/promises'
import { homedir } from 'node:os'
Copy link
Copy Markdown
Member

@JoshMock JoshMock Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're using homedir from the stdlib and only looking strictly at 4 possible file paths, it effectively removes the need for cosmiconfig at all. Do you see value in keeping it for anything else here?

Copy link
Copy Markdown
Contributor Author

@MattDevy MattDevy Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not, I toyed with the idea of having an env var like ELASTIC_CLI_ADDITIONAL_CONFIG_PATHS as a csv of "trusted directories" where we could allow cosmiconfig to discover from if they were in the parent path. But honestly, I think you're probably right to suggest removing it

MattDevy added 2 commits April 14, 2026 17:51
@MattDevy
fix: restrict config discovery to home directory only
14009d6 
Previously, cosmiconfig walked from cwd upward through every parent
directory toward $HOME, loading the first config file found. A malicious
.elasticrc.yml in a shared directory (e.g. /tmp, a cloned repo) could
hijack the CLI to redirect credentials to an attacker-controlled server.

Config is now discovered only in $HOME. Explicit overrides via
--config-file flag or ELASTIC_CLI_CONFIG_FILE env var are supported.

Precedence: --config-file > ELASTIC_CLI_CONFIG_FILE > ~/.elasticrc.yml

Ref: #128
@MattDevy
refactor: remove cosmiconfig dependency
89a5f05 
Replace cosmiconfig with direct file reading (readFile + yaml.parse /
JSON.parse). Since config discovery is now restricted to the home
directory and a handful of known file names, cosmiconfig adds no value.

This removes 16 transitive packages from the dependency tree.
@MattDevy MattDevy force-pushed the fix/tighten-config-discovery branch from dde6a9a to 89a5f05 Compare April 14, 2026 16:55
@MattDevy MattDevy merged commit 15435a8 into main Apr 14, 2026
17 checks passed
@MattDevy MattDevy deleted the fix/tighten-config-discovery branch April 14, 2026 16:59
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod Bot mentioned this pull request Apr 14, 2026
Closed
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod Bot mentioned this pull request Apr 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JoshMock JoshMock JoshMock approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MattDevy @JoshMock