Only expose NEXT_PUBLIC_* and TINA_PUBLIC_* ENV vars
#3584
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
🦋 Changeset detectedLatest commit: 61f8c0e The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
jeffsee55
approved these changes
Feb 6, 2023
|
Will this need some documentation for the whitelist? Looks like Also unclear what your policies are around security leaks, but as a user I would want to know that my secure build credentials may have leaked to publicly accessible files so I could deal with it and roll credentials if required. |
jamespohalloran
changed the title
logan-anderson
changed the title
NEXT_PUBLIC_* and TINA_PUBLIC_* ENV vars
logan-anderson
changed the title
NEXT_PUBLIC_* and TINA_PUBLIC_* ENV varsNEXT_PUBLIC_* and TINA_PUBLIC_* ENV vars
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3579 by exposing
NODE_ENV,NEXT_PUBLIC_*,TINA_PUBLIC_*, andHEAD(for integration with Netifly) environment vars in the admin.--
Update:
To address this, update @tinacms/cli to the latest patch 1.0.9. If you're on a version prior to 1.0.0 this vulnerability does not affect you.
Tina credentials like the API token are not considered especially vulnerable because they're for read-only access. Nevertheless, it may be a good idea to update them.
More importantly, if your Tina-enabled website has other credentials (eg. Algolia API keys) you should rotate those keys immediately.
Going forward, if you're using environment variables in any field customization (ie. ui.component functions), you'll need to make sure those are prefixed with TINA_PUBLIC_ (NEXT_PUBLIC_ is also supported).