Excluding env vars

bubson · 18 October 2024 13:44

Hi,
I can use "envVarExcludes" key in settings.js to exclude some env variables that i do not want to be present in node-red.
This is handled in @node-red/runtime/lib/flows/util.js

However inside function node I can get it like:
msg.payload=RED.util.getSetting(null, "MY_SECRET_ENV", null)

That`s becouse there is no protecion in this part of code: @node-red/util/lib/util.js

Shouldn`t it be also protected?

Another question, would it be possible to have a setting that allow to remove RED.util from function node sandbox?

knolleary · 18 October 2024 14:29

Hi @bubson

Please raise an issue on github with the details so we can address it: Issues · node-red/node-red · GitHub

Can you expand on why you'd want that removed? The Function node sandbox isn't a fully secure sandbox; there are ways it can be circumvented if you are familiar enough with JavaScript. At best, it provides some guard rails by not making the full node.js environment readily available.

bubson · 18 October 2024 23:20

@knolleary
I see your point of view.
So I have another question. One thing is that there is possibility of escaping function node sandbox context.
Second - knowing that "vm" module is "exploitable" in a way that there is possibility to execute any code like for example you can install npm modules that are dissalowed in settings. (I know that much more "harmfull things" can be done) Do you have any plans to redesign function node in future? Or it will be left as is?

Topic		Replies	Views
Block env.get in function node General	10	605	23 August 2020
Disable access to ENV vars Core Development	10	370	17 September 2021
Disabling Function External Modules General	17	658	10 May 2022
Annotated settings.js Share Your Projects	17	2982	4 May 2022
How to access Docker Secrets in Node-RED Container General docker	8	454	1 September 2022

Excluding env vars

Related Topics