make keys explicitly included to prevent leaking

fivetanley · Nov 3, 2014 · c885731 · c885731
1 parent 30af6dd
commit c885731
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 5 deletions.
diff --git a/.env b/.env
@@ -1 +1,2 @@
 DOTENV_VAR="dotenv"
+DO_NOT_ALLOW="this should not show up in ENV"
diff --git a/Brocfile.js b/Brocfile.js
@@ -2,7 +2,11 @@
 
 var EmberAddon = require('ember-cli/lib/broccoli/ember-addon');
 
-var app = new EmberAddon();
+var app = new EmberAddon({
+  dotEnv: {
+    allow: ['DOTENV_VAR']
+  }
+});
 
 // Use `app.import` to add additional libraries to the generated
 // output files.

diff --git a/README.md b/README.md
@@ -17,6 +17,21 @@ file in the root of your repository:
 DROPBOX_KEY=YOURKEYGOESHERE
 ```
 
+Next, put some configuration in your Brocfile. Starting in 0.2.0, *keys must be explicitly allowed*:
+
+```javascript
+// Brocfile.js
+
+var app = new EmberApp({
+  dotEnv: {
+    allow: ['DROPBOX_KEY']
+  }
+});
+
+// pre-generated config from ember-cli
+module.exports = app.toTree();
+```
+
 then, you can access the environment variables anywhere in your app like
 you usually would.
 

diff --git a/index.js b/index.js
@@ -5,13 +5,26 @@ module.exports = {
     var path = require('path');
     var fs = require('fs');
     var dotenv = require('dotenv');
+    var app = this.app;
+    var project = this.project;
+    var loadedConfig;
+    var config = {};
+    var allowedKeys = (app.options.dotEnv && app.options.dotEnv.allow) || [];
 
-    var configFilePath = path.join(this.project.root, '.env');
+    console.log('allowedKeys', allowedKeys);
+
+    var configFilePath = path.join(project.root, '.env');
 
     if (fs.existsSync(configFilePath)){
-      return dotenv.parse(fs.readFileSync(configFilePath));
+      loadedConfig = dotenv.parse(fs.readFileSync(configFilePath));
     } else  {
-      return {};
+      loadedConfig = {};
     }
+
+    allowedKeys.forEach(function(key){
+      config[key] = loadedConfig[key];
+    });
+
+    return config;
   }
 };
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ember-cli-dotenv",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "directories": {
     "doc": "doc",
     "test": "tests"

diff --git a/tests/integration/smoke-test.js b/tests/integration/smoke-test.js
@@ -5,3 +5,7 @@ module("smoke test");
 test("should work", function(){
   equal(ENV.DOTENV_VAR, "dotenv");
 });
+
+test("doesn't put in keys unless they are explicitly allowed", function(){
+  equal(Object.hasOwnProperty.call(ENV, 'DO_NOT_ALLOW'), false);
+});