-
-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vite config loadEnv exposing all envs to frontend. #16686
Comments
Start a new pull request in StackBlitz Codeflow. |
https://vitejs.dev/guide/api-javascript.html#loadenv Hey there, @pumanitro! Here you've manually turned off the guardrails by sending in an empty string as prefix. This is intended and well documented behaviour. I recommend checking the documentation for the functions you call, especially if a plagiarism engine recommends a function you haven't used before. |
I totally understand it, still I am proposing this to not be so easy to be done. Especially if this can cost companies lives. Empty string is hard to be noticed in comparison to regexp like this: 'YES_I_WANT_TO_EXPOSE_ALL_OF_MY_ENVS_TO_THE_WORLD_AND_BOTS'. |
I don't think there's an issue with define: {
'process.env': clientEnv,
},
In Vite, we do issue an error if you set |
Note that the documentation (kind of) suggests you do this. When explaining how to use |
Screanshoting till they remove it :) |
loadEnv(mode, process.cwd(), '') (the effective value in the submission) is very different from loadEnv(mode, process.cwd(), '').APP_ENV (the effective value in the documentation). It's like the difference between "rm -rf /opt/" and "rm -rf / opt/" . Just one character makes the difference between removing all of the third-party apps on the system and deleting everything that it can find. As in most professions, you need to know what you are doing to use your tools properly and effectively. |
Describe the bug
This line of code:
const clientEnv = loadEnv(mode, process.cwd(), '');
for vite.config.ts file (entire vite configuration) was the place that caused our CI/CD envs to be exposed to the world.
Of course, some bots that scrape the internet read compiled bundle, got our keys, and used them to cause a massacre.
Yes, we *** up using chatgpt generated config and doing code review.
Still, it should not be so easy to do it and I feel more people could be affected by that.
It is also hard to find it during the code review because these are 2 sings that can cost you and your company a lot of money.
IMO it should show some error at least somewhere, or take a value like 'YES_I_WANT_TO_EXPOSE_ALL_OF_MY_ENVS_TO_THE_WORLD_AND_BOTS'.
Reproduction
https://stackblitz.com/edit/vitejs-vite-e6fzdp?file=vite.config.ts&terminal=dev
Steps to reproduce
No response
System Info
Used Package Manager
npm
Logs
No response
Validations
The text was updated successfully, but these errors were encountered: