environment variable leakage in error reporting
Discovered by mcollina on Nodejs-ecosystem

This issue took 1 Days and 14 hours to triage and 150 Days and 9 hours to close the report once triaged.



> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

I would like to report the leak of environment variables in https://github.com/senecajs/seneca It make a user indavertely leak private credentials (such as AWS keys) to public spaces.

Module

module name: [MODULE NAME] version: [MODULE VERSION] npm page: https://www.npmjs.com/package/[MODULE NAME]

Module Description

A Node.js toolkit for Microservice architectures

Module Stats

> Replace stats below with numbers from npm’s module page:

1711 downloads in the last day 7199 downloads in the last week 29241 downloads in the last month

Vulnerability

Vulnerability Description

> Description about how the vulnerability was found and how it can be exploited, how it harms package users (data modification/lost, system access, other.

When a process using Seneca crashes, it prints out all of its environment variables. These are typically picked up by log monitoring system, and they might end up in less secured placed. As a result, it can end up in public bug reports, such as https://github.com/senecajs/seneca-transport/issues/88.

Steps To Reproduce:

var seneca = require('seneca')()
seneca.die()

Patch

diff --git a/lib/common.js b/lib/common.js
index ef3e398..e992cd6 100644
--- a/lib/common.js
+++ b/lib/common.js
@@ -339,10 +339,7 @@ exports.makedie = function(instance, ctxt) {
         process.arch +
         ', platform=' +
         process.platform +
-        (!full ? '' : ', path=' + process.execPath) +
-        ', argv=' +
-        Util.inspect(process.argv).replace(//g, '') +
-        (!full ? '' : ', env=' + Util.inspect(process.env).replace(//g, ''))
+        (!full ? '' : ', path=' + process.execPath)

       var when = new Date()

Supporting Material/References:

Wrap up

> Select Y or N for the following statements:

  • I contacted the maintainer to let them know: Y
  • I opened an issue in the related repository: N

> Hunter's comments and funny memes goes here

Impact

Access to cloud accounts. I got a 55$ bill out of this.