Block env.get in function node

Hi. I use node-red in a shared system, so others users can access the editor. I don't want to exclude from the editor the function node.
But I saw that, if I know the environment variables name, I can print them on debug console.
These env. Vars. Contain sensitive informations. Is there a way to block the env.get functionality?
Or I have to exclude the node from the editor?
All the ideas are welcome, thanks :slight_smile:

You can also access environment variables through a number of other nodes, such as the Change node and Inject node. It is best not to put sensitive information in env variables. node-red-contrib-credentials might be useful to you instead.

1 Like

Whilst that is true, it is also true to say that Node-RED is in complete control as to what is allowed to be accessed or not, so it would be feasible to add some sort of allow/deny list in settings.js.

But it also depends on the specific requirements.

If they are env vars that are set in the environment, but otherwise unused by Node-RED, then you could clear them in your settings.js file to prevent the runtime from being able to see them:

process.env.secret = "";

If they are env vars that you use in node configurations, then it is a harder problem - how do we identify when its a valid use of the env var versus an invalid use?

1 Like

Thanks. I figured out that I can print on debug console just with an inject node. damn.

Yes, they are env vars used by Node-RED. I use them into some custom nodes.

Is there a way to use them only in custom nodes but not shown in debug console?

I use them to set docker container parameters.

Would the contrib node I suggested help or do you need to set them outside of node red? I suspect it is possible to add items to the credentials outside of node red but not sure how.

1 Like

No, unfortunately it isn't useful.. I have to configure docker instances with these env vars, so I can't 'hide' them in the frontend flow. It's a backend problem..

I think that Nicks suggestion of overwriting them in settings.js is likely to be the best bet if that works. Or running Node-RED from within its own shell environment (or from systemd) where those Docker variables wouldn't be visible.

The only other alternative that I can think of would be to overwrite the process.env function in Node.js but I suspect that would break other things.

Despite what many web tutorials would have you believe, environment variables are not secure and shouldn't be used for sensitive data. Particularly when you are then making an entire development platform (Node-RED) and server development service (node.js) available to end users.

1 Like

That can't work because I use them to configure a docker instance running Node-RED.
And I use those vars in a lot of custom nodes :frowning: So I can't just overwrite them.
I have to change something in the architecture I think..

In your settings.js, transfer the env variables to something else - you can add properties to the settings that are only accessible from custom nodes I believe.

Once you've transferred them, blank them.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.