Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warn on insecure environment options / CLI flags #21774

Closed
ChALkeR opened this issue Jul 11, 2018 · 9 comments
Closed

Warn on insecure environment options / CLI flags #21774

ChALkeR opened this issue Jul 11, 2018 · 9 comments
Labels
discuss Issues opened for discussions and feedbacks. security Issues and PRs related to security.

Comments

@ChALkeR
Copy link
Member

ChALkeR commented Jul 11, 2018

Note: this is not about deprecation, it is about printing runtime warnings about security impact of some of the Node.js environment options. That would probably be a semver-major change.

Environment options are more dangereous because:

  • It is very simple to blindly copy-paste suggestions from the internet without understanding the security impact — more simple than writing unsafe code.
  • Users are more likely to blindly run some programs (like npm) with those than modify them to use unsafe API.
  • User might not even know that they are using unsafe env options: other appliations, stale/corrupted env, some libraries from npm — those all can set unsafe env options without user noticing that.

I have seen npm credentials in logs from npm being run with NODE_DEBUG=http and those logs being attached to issues.
I have seen modules setting NODE_TLS_REJECT_UNAUTHORIZED.

So far, the ones that I am aware of:

Anything else?

I also would like some discussion here, as I am not sure if that is the best approach in this situation.
/cc @nodejs/security-wg

@ChALkeR ChALkeR added discuss Issues opened for discussions and feedbacks. security Issues and PRs related to security. labels Jul 11, 2018
@ChALkeR ChALkeR changed the title Warn on insecure Node.js environment options / CLI flags Warn on insecure environment options / CLI flags Jul 12, 2018
@mcollina
Copy link
Member

I'm in favor of such a change.

I also think that we might not want to allow to change NODE_DEBUG and NODE_TLS_REJECT_UNAUTHORIZED at runtime, or that we should sample those values at startup.

@jasnell
Copy link
Member

jasnell commented Jul 12, 2018

I've wanted these kinds of warnings since I introduced emitWarning. It was part of my original use case for it. Big +1

@addaleax
Copy link
Member

I’m on board with warnings for all three situations you’re suggesting.

I don’t think we need to prohibit programmatic usage, though. Printing a warning is already close enough to effectively break a feature in a lot of circumstances.

@vdeturckheim
Copy link
Member

This would definitly make sense to me 👍

@MarcinHoppe
Copy link

👍 from me, too. Developers and operations people alike might not be aware of but hopefully a warning will be picked up by any monitoring / alerting system in use.

Should we also include an option to suppress this warning for people who have a legitimate reason to run with this setting?

@ChALkeR
Copy link
Member Author

ChALkeR commented Jul 19, 2018

@MarcinHoppe There is already an --no-warnings option to suppress warnings from Node.js, that should suppress these too.

I am not sure if there needs to be a one to suppress just these kind of warnings (or perhaps even a specific warning only). I don't want to overengineer it from the start, so perhaps it would make sense to add that in case if someone who would actually need it asks?

@MarcinHoppe
Copy link

I don't want to overengineer it from the start, so perhaps it would make sense to add that in case if someone who would actually need it asks?

I wholeheartedly endorse this approach :). 👍 from me.

cjihrig added a commit to cjihrig/node that referenced this issue Jul 23, 2018
Warn on the first request that sets the
NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0'.

PR-URL: nodejs#21900
Refs: nodejs#21774
Reviewed-By: James M Snell <jasnell@gmail.com>
@BridgeAR
Copy link
Member

To me this is somewhat related to #21424.

@ChALkeR
Copy link
Member Author

ChALkeR commented Oct 12, 2018

--inspect extracted to #23444.

As this has been open for some time and there are no new ideas, closing.

Feel free to reopen if you have some more ideas to propose (alternatively — filing a separate issue would also be great)!

@ChALkeR ChALkeR closed this as completed Oct 12, 2018
ChALkeR added a commit to ChALkeR/io.js that referenced this issue Oct 13, 2018
Trott pushed a commit to Trott/io.js that referenced this issue Nov 6, 2018
Refs: nodejs#23444
Refs: nodejs#21774

PR-URL: nodejs#23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
targos pushed a commit that referenced this issue Nov 6, 2018
Refs: #23444
Refs: #21774

PR-URL: #23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
codebytere pushed a commit that referenced this issue Nov 29, 2018
Refs: #23444
Refs: #21774

PR-URL: #23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
MylesBorins pushed a commit that referenced this issue Nov 29, 2018
Refs: #23444
Refs: #21774

PR-URL: #23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
MylesBorins pushed a commit that referenced this issue Dec 3, 2018
Refs: #23444
Refs: #21774

PR-URL: #23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discuss Issues opened for discussions and feedbacks. security Issues and PRs related to security.
Projects
None yet
Development

No branches or pull requests

7 participants