Document meaning of accessToken in nx.json tasksRunnerOptions/default and whether to commit to a public repo #3649
Comments
|
You can set this as an Environment Variable on your machine. Set the env var of |
|
@sonicparke thanks for pointing that out. The next thing for me to check is if nx can load from |
|
That I haven't tried. Would be interested to know though. |
|
I am using direnv with the following code inside my PATH_add node_modules/.bin
# DO NOT ADD YOUR OWN CONFIG HERE, USE .env
# runs through the defaults and exports them
[ -e ./env.local ] && dotenv ./env.local
# creates (if not exist) and loads .env
>>.env; dotenv
This will firstly set .bin in your path, so you dont need to install things like nx globally (or need to prefix it with npx or yarn) Secondly it checks env.local (which I check into git with some non-confidential defaults) and will run Thirdly it creates a empty .env file for you which is NOT checked into git and you can overweite any env.local config there. It then runs dotenv against that to overwrite and load into your environment. env.local: NODE_ENV=development
NX_CLOUD_AUTH_TOKEN=fake-token |
|
This issue has been automatically marked as stale because it hasn't had any recent activity. It will be closed in 14 days if no further activity occurs. |
|
This ticket wasn't completed as far as I can see. There is still no documentation about how accessToken should be managed in a public repo at e.g. https://nx.dev/nx-cloud/account/access-tokens This is particularly problematic when scaffolding automatically populates the file with a plaintext unclaimed read/write access token direct in the scaffolded repo. Thanks to the default behaviour you can see at https://github.com/search?p=3&q=tasksRunnerOptions+accessToken&type=Code it seems that there are a lot of read/write accessTokens public that if unclaimed could be used to send (and therefore indirectly run) arbitrary code on developers' machines. With limited documentation about how to mitigate for this threat it could be a problem that developers don't fix. To achieve this, the attacker would craft a lightly-modified build that the victim can be socially-engineered into downloading (e.g. an innocuous looking PR against a public project) but which includes some additional asset in the pre-populated cache, none of which would be visible in the PR, as it would be injected to the cache directly. The extra payload would be an actual build artefact of the PR at all, but nx can't reason about that. By way of an example, in my second attempt to use a public access key, I claimed the space for
|
|
I found some scenarios at https://nx.dev/nx-cloud/account/scenarios with important discussion some aspects, but it's not there's still no short path for a regular reader between the guidance such as https://youtu.be/GT7XIwG1i5A?t=85 and the potential importance of not committing a read-write token to public Github. |
|
Why is this issue closed? Is the accessToken generated in nx.json sensitive or not? |
|
This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context. |
I'm used to something called an accessToken being private. I see the nx-cloud access token is public in a generated project, whether or not with the oss layout, and that nx's is also public in this repo, so I think it must not give access to a resource that's supposed to be protected:
https://github.com/nrwl/nx/blob/master/nx.json#L19
I'm not clear on what the access token does and would like to know and I think it may help other newbies to nx. Thanks!
The text was updated successfully, but these errors were encountered: