Security: when run locally, plugin sends all env variables
erezrokah opened this issue · 2 comments
The plugin sets all of process.env
variables as secrets:
netlify-plugin-nimbella/index.js
Line 119 in 108706a
This can leak unwanted variables, especially when run locally.
To reproduce run netlify build
locally with the plugin configured and see the generated env.json
file
You can also run
nim action get <action>
to see all the env vars added during build time
@satyarohith the plugin can eschew generating an env file - if the Nimbella project.yml
declares env vars, then only those declared and in the environment are bound to the functions. (A missing variable will cause a build failure.)
If the project.yml uses an env file inclusion, perhaps we should leave that responsibility to the user who has to generate the env file in their build script.
The change @satyarohith has made will require Netlify functions deployed as Nimbella functions to declare their environment variables explicitly as part of a subsequent enhancement. For now no variables are captured. Functions deployed as part of a Nimbella project are not affected because bound variables must be explicitly declared already.