Hi, I need to disable the access to env variables from my flows/nodes. For instance I want the env.get('PASSWORD') to be inaccesible from the function core node. I work on Linux Ubuntu and I cannot find the directory/file which would include the Function node source code - editing the source code …

Can you explain the use case for this? The solution may depend on that.

I want to separate the node red service user (who may potentially have access to the flows) from the vulnerable data on the server itself (API keys, passwords etc.). It's basically a security consern.

Do you want nodes to be configurable via env cars at all? If not, one workaround would be to add some code to your settings.js file that clears process.env of any env vars you don't want the flows to access.

You probably need to also block the file and exec nodes.

[image] Colin: Just preventing access from Function nodes would accomplish little, as env vars can be read via Change nodes, for example. Indeed - this is where I was going with my question about being able to configure nodes via env vars at all. We could easily enough add a setting that pre…

All right, you all convinced me that editing the source code is not only inelegant but also inefficient. [image] knolleary: We could easily enough add a setting that prevents the env type accessing process.env. That sounds really good. Could you specify what property in settings.js would mak…

[image] Bulduper: That sounds really good. Could you specify what property in settings.js would make it work? No such setting exists. I was saying we could add support for one. But that isn't going to happen overnight. It needs someone to do the work to propose a specific change and do the wo…

[image] Bulduper: I will try to find a way to isolate node red container from env vars I think the default in a docker container is to be not able to access the system env vars at all. I don't know what, if any, system env vars the provided node-red docker image does inherit. If you build …

Disable access to ENV vars

Core Development

Colin 19 July 2021 13:50 6

Another possibility may be to run node red under Docker. Then it would not be able to access anything on the server that you have not given it access to.

Just preventing access from Function nodes would accomplish little, as env vars can be read via Change nodes, for example.

Topic		Replies	Views
Block env.get in function node General	10	673	23 August 2020
Is there a way to externalize mongodb connection info General	26	1638	28 December 2019
Configure env variables General	9	256	2 July 2025
Excluding env vars General	3	104	16 January 2025
How to access environment variables in HTML of custom node Developing Nodes	4	1494	15 January 2021

Disable access to ENV vars

Related topics