Environment file is exposed

Problem description

When running the application, sensitive environment variables are being displayed in the output, which could potentially lead to security vulnerabilities.

Expected behavior

The output or logs should not expose sensitive environment variables.

Actual behavior

Sensitive environment variables are displayed in the output or logs, which poses a security risk.

Steps to reproduce

import path from "path";
import os from "os";
import fs from "fs";

const __dirname = path.resolve();
console.log(__dirname);
const backstep = path.join(__dirname, "../../../");
const folderPath = path.join(__dirname, "Hello");

console.log(os.platform());
console.log(os.freemem());
console.log(os.homedir());
console.log(os.hostname());
console.log(os.type());
console.log(os.uptime());


fs.mkdir(folderPath, { recursive: true }, () => {
  console.log("Folder created successfully");
});

const fileList = fs.readdirSync(__dirname);

console.log('Files and folders in the directory:', fileList);

const { platform, arch, env, pid, ppid, hrtime } = process;
console.log(process.cwd());
console.log(platform, arch, env, pid, ppid, hrtime);

console.log(os.networkInterfaces());
console.log(os.userInfo());
console.log(backstep);

const filelist = fs.readdirSync(backstep);
console.log("Files and folders in the directory backstep: ", filelist);

const users = path.join(backstep, "usr");
const userslist = fs.readdirSync(users);
console.log("Files and folders in the directory usr: ", userslist);

Browser

Brave

OS

Linux,

Device if mobile

HP OMEN 16

Plan

Free tier

Please upload screenshots

You… Log the env variables. If it didn’t log what you told it to, then that’d be really annoying.

1 Like

Nobody else can access that data if it isn’t inside the code. Wouldn’t it have different env log data for that forked project even if they fork it?

I might be misunderstanding this as well, however.

1 Like

Ah, I see what you’re getting at. Programming languages are indeed designed to follow instructions to the letter. However, what I’m highlighting here is a little quirk in the system – the exposure of environment variables via Node.js on Replit. Now, I’m fully aware that Replit runs in a container on their servers, and my actions won’t shake things up on their end. But bear with me as I shine a light on something crucial: the presence of a database URL in the environment. It’s like leaving the keys in the ignition – it might not cause a problem now, but it’s a potential vulnerability waiting to be exploited. And while I’m just starting out on this coding journey, it’s worth noting that in the wrong hands, even a beginner’s oversight could lead to trouble.

You literally have to be able see and use that URL, Replit database uses it. It’s also a unique link per-repl and changes periodically.

1 Like