Re: [nodejs] Re: Security Issue

[Alex Kocharin]

 

08.05.2014, 00:14, "Peter Rust" <pe...@cornerstonenw.com>:

Thanks, Ritchie, this is valuable.

 

> environment variables shouldn't be used to store anything secret

 

I was under the impression that it is common practice to include database creds embedded in a DATABASE_URL environment variable, as well as creds/tokens for other third-party services (s3, etc) -- isn't this what the 12 factor app (http://12factor.net/ - Heroku's manifesto) recommends?

 

 

It's also a common practice to set "qwerty" as your password...

 

I'm not using Heroku (and don't like PaaS in general), so I don't know their reasons for it.

 

By the way, this approach fails when DATABASE_URL is different among multiple child processes. I remember an issue in pm2 bugtracker about preserving environment, there was a discussion about env keys reusing/collisions.

 

I'd say config files are preferred.

 

 

> If you're checking any machine-generated data in to a version control system, you're doing it wrong

 

Some prominent node devs (including mikeal) encourage checking node_modules into source control. Wouldn't this include machine-generated data, including the .lock-wscript file? Or would that be excluded by a .gitignore rule?

 

 

I very much doubt this practice. But if you're doing that for some reason, check manually every single file you add, at least its name.

 

Otherwise one can easily add npm-debug.log this way which contains even more sensitive information than is stored to environment. I hope I didn't just disclosed another security issue, did I?

 

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com.
To post to this group, send email to nodejs@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/1112471399565719%40web19j.yandex.ru.
For more options, visit https://groups.google.com/d/optout.