Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ops): add node.js env variable allowlist #15893

Merged
merged 3 commits into from
Sep 14, 2022
Merged

fix(ops): add node.js env variable allowlist #15893

merged 3 commits into from
Sep 14, 2022

Conversation

cjihrig
Copy link
Contributor

@cjihrig cjihrig commented Sep 13, 2022

This commit allows the Node compatibility layer to skip environment variable permission checks when --unstable is passed and the variable name is one that Node uses.

Fixes: #15890

@cjihrig
fix(ops): add node.js env variable allowlist
e5c5066 
This commit allows the Node compatibility layer to skip
environment variable permission checks when --unstable
is passed and the variable name is one that Node uses.

Fixes: #15890
@cjihrig cjihrig requested a review from dsherret September 13, 2022 19:08
ry
ry reviewed Sep 13, 2022
View reviewed changes
ext/node/lib.rs Outdated
Comment on lines 85 to 87
set.insert("OPENSSL_CONF".to_string());
set.insert("SSL_CERT_DIR".to_string());
set.insert("SSL_CERT_FILE".to_string());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these potentially have security implications

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does that mean you'd like me to remove them?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should keep this list really short for now and only allow the env vars that cause a lot of prompts/pain?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. I've made the list significantly smaller.

dsherret
dsherret approved these changes Sep 14, 2022
View reviewed changes
Copy link
Member

@dsherret dsherret left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cjihrig cjihrig requested a review from ry September 14, 2022 13:58
@cjihrig cjihrig merged commit 19deec4 into denoland:main Sep 14, 2022
@cjihrig cjihrig deleted the node-allowlist branch September 14, 2022 15:59
cjihrig added a commit that referenced this pull request Sep 15, 2022
@cjihrig
fix(ops): add node.js env variable allowlist (#15893)
e90f42c 
This commit allows the Node compatibility layer to skip
environment variable permission checks when --unstable
is passed and the variable name is one that Node uses.

Fixes: #15890
@kt3k kt3k mentioned this pull request Jan 26, 2023
Closed
@kt3k kt3k mentioned this pull request Feb 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dsherret dsherret dsherret approved these changes

@ry ry Awaiting requested review from ry

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

add allow-list for special env vars like NODE_DEBUG
3 participants
@cjihrig @ry @dsherret