Hi,
I need to disable the access to env variables from my flows/nodes. For instance I want the env.get('PASSWORD') to be inaccesible from the function core node.
I work on Linux Ubuntu and I cannot find the directory/file which would include the Function node source code - editing the source code might be a potential solution.
Or maybe you have some other solution to make env variables inaccessible?
Thanks 
Can you explain the use case for this? The solution may depend on that.
I want to separate the node red service user (who may potentially have access to the flows) from the vulnerable data on the server itself (API keys, passwords etc.). It's basically a security consern.
Do you want nodes to be configurable via env cars at all?
If not, one workaround would be to add some code to your settings.js file that clears process.env of any env vars you don't want the flows to access.
You probably need to also block the file and exec nodes.
Another possibility may be to run node red under Docker. Then it would not be able to access anything on the server that you have not given it access to.
Just preventing access from Function nodes would accomplish little, as env vars can be read via Change nodes, for example.
Indeed - this is where I was going with my question about being able to configure nodes via env vars at all.
We could easily enough add a setting that prevents the env type accessing process.env. The env type would still be useful inside subflows, for example, that can set their own locally-scoped env vars.
All right, you all convinced me that editing the source code is not only inelegant but also inefficient.
That sounds really good. Could you specify what property in settings.js would make it work?
Actually I run my nodered server on docker, I just haven't come up with this idea as I'm not very experienced. I will try to find a way to isolate node red container from env vars if the solution with settings.js doesn't satisfy me. Do you have any advices or keywords on this topic?
PS. This forum rocks!!!
No such setting exists. I was saying we could add support for one. But that isn't going to happen overnight. It needs someone to do the work to propose a specific change and do the work to implement it.
I think the default in a docker container is to be not able to access the system env vars at all. I don't know what, if any, system env vars the provided node-red docker image does inherit. If you build your own image then you will have full control of that. I hope I am right in stating this as I have not used docker much, but that is my understanding.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarksā¢ or registeredĀ® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy