Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: avoid leaking defined env vars when trying to access not defined…
… env vars (#10030) * fix: avoid leaking defined env vars when trying to access not defined env vars * test: add some testing for env var usage and leaking * add some comments to .env.production - it normally shouldn't be commited to repo
- Loading branch information
Showing
6 changed files
with
88 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# This file is commited to repo only to validate that env vars are available | ||
# to use in frontend and don't leak if not used (secrets used in Node). | ||
# You should NOT commit `.env` files to your repository for production sites. | ||
EXISTING_VAR=foo bar | ||
VERY_SECRET_VAR=it's a secret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
const { exec } = require(`child_process`) | ||
|
||
const grepJSFilesFor = str => | ||
new Promise(resolve => { | ||
const grep = exec(`grep -r "${str}" ./public/*.js`) | ||
|
||
grep.stdout.on(`data`, () => { | ||
resolve(true) | ||
return | ||
}) | ||
|
||
grep.on(`close`, () => { | ||
resolve(false) | ||
return | ||
}) | ||
}) | ||
|
||
const checkLeakedEnvVar = async () => { | ||
const isLeaked = | ||
(await grepJSFilesFor(`VERY_SECRET_VAR`)) || | ||
(await grepJSFilesFor(`it's a secret`)) | ||
|
||
if (isLeaked) { | ||
console.error(`Error: VERY_SECRET_VAR found in bundle`) | ||
process.exit(1) | ||
} else { | ||
console.log(`Success: VERY_SECRET_VAR not found in bundle`) | ||
process.exit(0) | ||
} | ||
} | ||
|
||
checkLeakedEnvVar() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
import React from 'react' | ||
|
||
import Layout from '../components/layout' | ||
|
||
const UseEnv = ({ heading, envVar }) => ( | ||
<React.Fragment> | ||
<h2>{heading}</h2> | ||
<pre> | ||
<code data-testid={heading}>{JSON.stringify(envVar)}</code> | ||
</pre> | ||
</React.Fragment> | ||
) | ||
|
||
const SecondPage = () => ( | ||
<Layout> | ||
<h1>Using env vars</h1> | ||
<UseEnv heading="process.env" envVar={process.env} /> | ||
<UseEnv | ||
heading="process.env.EXISTING_VAR" | ||
envVar={process.env.EXISTING_VAR} | ||
/> | ||
<UseEnv | ||
heading="process.env.NOT_EXISTING_VAR" | ||
envVar={process.env.NOT_EXISTING_VAR} | ||
/> | ||
</Layout> | ||
) | ||
|
||
export default SecondPage |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters