Disable access to ENV vars

I need to disable the access to env variables from my flows/nodes. For instance I want the env.get('PASSWORD') to be inaccesible from the function core node.
I work on Linux Ubuntu and I cannot find the directory/file which would include the Function node source code - editing the source code might be a potential solution.

Or maybe you have some other solution to make env variables inaccessible?

Thanks :smiley:

Can you explain the use case for this? The solution may depend on that.

I want to separate the node red service user (who may potentially have access to the flows) from the vulnerable data on the server itself (API keys, passwords etc.). It's basically a security consern.

Do you want nodes to be configurable via env cars at all?

If not, one workaround would be to add some code to your settings.js file that clears process.env of any env vars you don't want the flows to access.

You probably need to also block the file and exec nodes.

Another possibility may be to run node red under Docker. Then it would not be able to access anything on the server that you have not given it access to.

Just preventing access from Function nodes would accomplish little, as env vars can be read via Change nodes, for example.

Indeed - this is where I was going with my question about being able to configure nodes via env vars at all.

We could easily enough add a setting that prevents the env type accessing process.env. The env type would still be useful inside subflows, for example, that can set their own locally-scoped env vars.

All right, you all convinced me that editing the source code is not only inelegant but also inefficient.

That sounds really good. Could you specify what property in settings.js would make it work?

Actually I run my nodered server on docker, I just haven't come up with this idea as I'm not very experienced. I will try to find a way to isolate node red container from env vars if the solution with settings.js doesn't satisfy me. Do you have any advices or keywords on this topic?

PS. This forum rocks!!!

No such setting exists. I was saying we could add support for one. But that isn't going to happen overnight. It needs someone to do the work to propose a specific change and do the work to implement it.

I think the default in a docker container is to be not able to access the system env vars at all. I don't know what, if any, system env vars the provided node-red docker image does inherit. If you build your own image then you will have full control of that. I hope I am right in stating this as I have not used docker much, but that is my understanding.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.