Excluding env vars

Hi,
I can use "envVarExcludes" key in settings.js to exclude some env variables that i do not want to be present in node-red.
This is handled in @node-red/runtime/lib/flows/util.js

However inside function node I can get it like:
msg.payload=RED.util.getSetting(null, "MY_SECRET_ENV", null)

That`s becouse there is no protecion in this part of code: @node-red/util/lib/util.js

Shouldn`t it be also protected?

Another question, would it be possible to have a setting that allow to remove RED.util from function node sandbox?

1 Like

Hi @bubson

Please raise an issue on github with the details so we can address it: Issues · node-red/node-red · GitHub

Can you expand on why you'd want that removed? The Function node sandbox isn't a fully secure sandbox; there are ways it can be circumvented if you are familiar enough with JavaScript. At best, it provides some guard rails by not making the full node.js environment readily available.

@knolleary
I see your point of view.
So I have another question. One thing is that there is possibility of escaping function node sandbox context.
Second - knowing that "vm" module is "exploitable" in a way that there is possibility to execute any code like for example you can install npm modules that are dissalowed in settings. (I know that much more "harmfull things" can be done) Do you have any plans to redesign function node in future? Or it will be left as is?