-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn on insecure environment options / CLI flags #21774
Comments
I'm in favor of such a change. I also think that we might not want to allow to change |
I've wanted these kinds of warnings since I introduced emitWarning. It was part of my original use case for it. Big +1 |
I’m on board with warnings for all three situations you’re suggesting. I don’t think we need to prohibit programmatic usage, though. Printing a warning is already close enough to effectively break a feature in a lot of circumstances. |
This would definitly make sense to me 👍 |
👍 from me, too. Developers and operations people alike might not be aware of but hopefully a warning will be picked up by any monitoring / alerting system in use. Should we also include an option to suppress this warning for people who have a legitimate reason to run with this setting? |
@MarcinHoppe There is already an I am not sure if there needs to be a one to suppress just these kind of warnings (or perhaps even a specific warning only). I don't want to overengineer it from the start, so perhaps it would make sense to add that in case if someone who would actually need it asks? |
I wholeheartedly endorse this approach :). 👍 from me. |
Warn on the first request that sets the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'. PR-URL: nodejs#21900 Refs: nodejs#21774 Reviewed-By: James M Snell <jasnell@gmail.com>
To me this is somewhat related to #21424. |
As this has been open for some time and there are no new ideas, closing. Feel free to reopen if you have some more ideas to propose (alternatively — filing a separate issue would also be great)! |
Refs: nodejs#23444 Refs: nodejs#21774 PR-URL: nodejs#23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Note: this is not about deprecation, it is about printing runtime warnings about security impact of some of the Node.js environment options. That would probably be a semver-major change.
Environment options are more dangereous because:
npm
) with those than modify them to use unsafe API.I have seen npm credentials in logs from npm being run with
NODE_DEBUG=http
and those logs being attached to issues.I have seen modules setting
NODE_TLS_REJECT_UNAUTHORIZED
.So far, the ones that I am aware of:
Upd: done in tls: warn on NODE_TLS_REJECT_UNAUTHORIZED = '0' #21900, thanks, @cjihrig!NODE_TLS_REJECT_UNAUTHORIZED=0
(Propose NODE_TLS_REJECT_UNAUTHORIZED be renamed #5258),Upd: done in util: Adding warnings when NODE_DEBUG is set as http/http2 #21914, thanks, @antsmartian!NODE_DEBUG=http
(exposes auth data, logs are unsafe to share),--inspect=0.0.0.0
flag? Not an env var, but highly copy-pasted.Anything else?
I also would like some discussion here, as I am not sure if that is the best approach in this situation.
/cc @nodejs/security-wg
The text was updated successfully, but these errors were encountered: