-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: all env vars in production bundle #10021
Comments
gatsby/packages/gatsby/src/utils/webpack.config.js Lines 53 to 56 in 1858365
should use |
Hmmm, maybe that's not that simple |
Update from me - I think real problem is actually here
with this we replace |
Just looking at https://webpack.js.org/plugins/environment-plugin/ (which is just helper around |
Actually I just read this and
So this actually say that all vars from |
@Fetten Just to check with you - in your
that's what I could reproduce and have fix for ready |
Thank you for the quick investigation, Michal! The lines in app.js look like this:
|
Yeah, so similar situation - something is using |
Yes, you are absolutely right. SC_ATTR seems to come from styled-components but isn't defined. |
Description
While inspecting production bundles of a gatsby site, I saw that all environment variables used during the build process are included in a bundle js file. This can also include sensitive data (e.g WordPress htaccess passwords) when used via a .env file.
Steps to reproduce
app-*.js
for env varsExpected result
Only env vars starting with
GATSBY_
(and maybe others necessary for the build - which ones?) should be included in production bundles, as stated on https://www.gatsbyjs.org/docs/environment-variables/Possible solution
I would guess that the problem is this line in the
webpack.config.js
:gatsby/packages/gatsby/src/utils/webpack.config.js
Line 70 in 1858365
Maybe we could white-list necessary env vars (including those starting with
GATSBY_
) and ignore all others. Would love to hear your thoughts on this.The text was updated successfully, but these errors were encountered: