Only expose NEXT_PUBLIC_*
and TINA_PUBLIC_*
ENV vars
#3584
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3579 by exposing
NODE_ENV
,NEXT_PUBLIC_*
,TINA_PUBLIC_*
, andHEAD
(for integration with Netifly) environment vars in the admin.--
Update:
To address this, update @tinacms/cli to the latest patch 1.0.9. If you're on a version prior to 1.0.0 this vulnerability does not affect you.
Tina credentials like the API token are not considered especially vulnerable because they're for read-only access. Nevertheless, it may be a good idea to update them.
More importantly, if your Tina-enabled website has other credentials (eg. Algolia API keys) you should rotate those keys immediately.
Going forward, if you're using environment variables in any field customization (ie. ui.component functions), you'll need to make sure those are prefixed with TINA_PUBLIC_ (NEXT_PUBLIC_ is also supported).