-
Notifications
You must be signed in to change notification settings - Fork 488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
consider load-and-delete option for environment variables #190
Comments
This is a good proposal. Variables designed for node-config would be the ones that node-config would remove, and in v.1.x there could be an opt-in variable for this, while in 2.x the variable could be opt out. |
There are a couple layers of environment variables to consider here. First are the ones that are likely for exclusive use of
These all seem fairly safe to scrub, with the A second layer of related environment variables are defined in On the other hand, someone may be using environment variables and hooking them up precisely because the environment variables need to be accessed from another location besides However, to be clear: We are not deleting the environment variables everywhere, we simply can't delete from the parent process. The deletion affects only the current JavaScript process. If for some reason // Run with full original un-scrubbed environment.
config.runWithEnv(my.function);
// Run with just the env vars corresponding to these variables:
config.runwithEnv(my.function. [ 'mongo.connectStr','s3.apiKey']); |
Scrubbing node-config related environment variables after loading them into Making this behavior opt-in prevents accidental scrubbing, and allowing opt-out in v2.0 is appropriate for those that require access to those variables outside the scope of Adding support such as |
That all sounds good, thanks for the feedback. |
+1 |
Thanks for interest, @willsr We're happy to consider a PR if you are motivated to work on one. |
@lorenwest the security benefit of this is weaker than I first realized, after finding the that the complete environment used to launch the process is available in http://serverfault.com/a/79463/63268 There is still /some/ benefit to the load-and-delete pattern of environment variables. It prevents accidentally exposing them further when humans or tools dump the Node.js |
You're welcome to close this. If your code isn't secure this is the least of your concerns. |
Did this move any further? |
@gtramontina No. The benefits are are less clear, since |
Related: #602 proposing masking sensitive values. |
Environment Variables Considered Harmful for Your Secrets raises some good points about using environment variables for configuration. You've likely seen an error page, log or alert email which contains a full environment dump.
What about having an option to delete environment variables after loading them into node-config? This would be safe for values that are exclusively accessed through node config after that, and not directly through the environment. It seems sensible to standardized on exclusively using
node-config
for configuration access if it is being used in most places.If some tool or library required configuration-by-environment, the specific environment variable could be set just before calling it and deleted just after the call completed.
A global option for this could be useful, but per-variable inclusions or exclusions might also be required. On the other hand, if a variable is being set in the environment because something requires it there, then
node-config
need not be involved and thus no exception would need to be made innode-config
.The text was updated successfully, but these errors were encountered: