Credentials security vulnerability

Colin · 27 August 2024 16:42

It can be displayed in a debug node, and can be read from there.

TotallyInformation · 27 August 2024 17:01

I think that is because it isn't a real environment variable but rather a node-red construct. Where Node-RED allows you to access it using the same node-red mechanism.

process.env on the other hand does read the OS's environment variables out of system memory.

Though it probably only knows about the ones that existed when the current process started? Not sure, I haven't checked that but it would make sense.

jbudd · 27 August 2024 17:21

That is the key benefit of using an environment variable, of whatever type.

I suppose that's a slight benefit, at least if you have read-only dashboard users who can't deploy flow changes.

E1cid · 27 August 2024 17:26

You are repeating what @jbudd said above.

@jbudd
Anything can be read in editor here is my flows_cred.json decrypted by node-red, I am not going to show how but anything can be hacked if you have access to the editor, node-red is a powerful tool.

Topic		Replies	Views
Flows-cred.json decrypt/encrypt dependency General	4	310	15 July 2023
Decrypting node-red credentials file General	2	266	1 April 2023
Flow credentials cannot be decrypted General	9	2341	31 May 2022
Should I be worried? (Message noticed while editing a flow) General	10	9018	26 December 2018
Your flow credentials file is encrypted using a system-generated key General	58	31175	28 July 2021

Credentials security vulnerability

Related Topics