Credentials security vulnerability

Colin · 27 August 2024 16:42

It can be displayed in a debug node, and can be read from there.

TotallyInformation · 27 August 2024 17:01

I think that is because it isn't a real environment variable but rather a node-red construct. Where Node-RED allows you to access it using the same node-red mechanism.

process.env on the other hand does read the OS's environment variables out of system memory.

Though it probably only knows about the ones that existed when the current process started? Not sure, I haven't checked that but it would make sense.

jbudd · 27 August 2024 17:21

That is the key benefit of using an environment variable, of whatever type.

I suppose that's a slight benefit, at least if you have read-only dashboard users who can't deploy flow changes.

E1cid · 27 August 2024 17:26

You are repeating what @jbudd said above.

@jbudd
Anything can be read in editor here is my flows_cred.json decrypted by node-red, I am not going to show how but anything can be hacked if you have access to the editor, node-red is a powerful tool.

Topic		Replies	Views
Flows-cred.json decrypt/encrypt dependency General	4	318	15 July 2023
Decrypting node-red credentials file General	2	272	1 April 2023
Support for .env files? or other ways to store and load secrets? General security	15	111	21 November 2024
Flow credentials cannot be decrypted General	9	2366	31 May 2022
Should I be worried? (Message noticed while editing a flow) General	10	9024	26 December 2018

Credentials security vulnerability

Related topics