Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Leaked content of comments when debug: true #569

Closed
Jolg42 opened this issue Nov 5, 2021 · 7 comments
Closed

Leaked content of comments when debug: true #569

Jolg42 opened this issue Nov 5, 2021 · 7 comments

Comments

@Jolg42
Copy link

Jolg42 commented Nov 5, 2021

Given this configuration

require('dotenv').config({ debug: true })

and this .env

#Local
DATABASE_URL=postgresql://user:password@localhost:5432/database
#Production
#DATABASE_URL=postgresql://user:password@pg-db-provision.id.eu-central-1.rds.amazonaws.com:5432/database

Dotenv output will show

[dotenv][DEBUG] did not match key and value when parsing line 1: #Local
[dotenv][DEBUG] did not match key and value when parsing line 1: #Production
[dotenv][DEBUG] did not match key and value when parsing line 1: #DATABASE_URL=postgresql://user:password@pg-db-provision.id.eu-central-1.rds.amazonaws.com:5432/database

Leaking the secret into the logs 😨

I see a PR who could solve this, has been open and then closed, about removing comments from the DEBUG logs #404
@maxbeatty What do you think about this with this new light?

(Context: prisma/prisma#9428)

@maxbeatty
Copy link
Contributor

I don't participate in maintaining this repository anymore, but you asked what I think so I'll tell you I think you're solving the wrong problem 😸 The intention of the debug option for dotenv is to help understand why you might not be getting the expected values assigned to process.env. It is not intended as a general logging tool.

The problem you should be solving is how to separate your local and production secrets so they are not together in the same file. I know it's easier, but it's also less secure. Ideally, your production and other hosted environments don't use .env files at all. There are lots of great secure secret management tools out there. Further, I wouldn't allow connections to RDS outside of a VPC, but I digress.

Good luck! Hope you all find a solution that works for everyone ✌🏼

@Jolg42
Copy link
Author

Jolg42 commented Nov 5, 2021

@maxbeatty thanks for chiming up!

Indeed I really don't recommend mixing secrets here but some people do 🙈

@Jolg42
Copy link
Author

Jolg42 commented Nov 11, 2021

Hi @motdotla, pinging you since it seems you are the most active on the codebase, what do you think about this?
Any feedback is welcome!

@janpio
Copy link

janpio commented Nov 11, 2021

To potentially explain what we are trying to do:

Some of the other debug: true output we find super useful in our own verbose mode as it gives more information what happened with the user's .env file:

[dotenv][DEBUG] "FOO" is already defined in `process.env` and will not be overwritten

@motdotla
Copy link
Owner

The debug feature needs a fresh pass. It's being used for a different reason than it was originally intentioned.

1_pMk3h0dIYMb_I1iJCjriPQ

We will improve it soon. It includes requests here as well:

@motdotla
Copy link
Owner

@Jolg42 this is fixed in v13.0.1. Let us know if you run into any trouble.

And for production (and other) environments, you can use Dotenv Sync.

@motdotla
Copy link
Owner

@janpio see comment above.

Thank you for your patience everyone on this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants