> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
I would like to report the leak of environment variables in https://github.com/senecajs/seneca
It make a user indavertely leak private credentials (such as AWS keys) to public spaces.
module name: [MODULE NAME]version:[MODULE VERSION]npm page: https://www.npmjs.com/package/[MODULE NAME]
A Node.js toolkit for Microservice architectures
> Replace stats below with numbers from npm’s module page:
1711 downloads in the last day
7199 downloads in the last week
29241 downloads in the last month
> Description about how the vulnerability was found and how it can be exploited, how it harms package users (data modification/lost, system access, other.
When a process using Seneca crashes, it prints out all of its environment variables. These are typically picked up by log monitoring system, and they might end up in less secured placed. As a result, it can end up in public bug reports, such as
https://github.com/senecajs/seneca-transport/issues/88.
var seneca = require('seneca')()
seneca.die()
diff --git a/lib/common.js b/lib/common.js
index ef3e398..e992cd6 100644
--- a/lib/common.js
+++ b/lib/common.js
@@ -339,10 +339,7 @@ exports.makedie = function(instance, ctxt) {
process.arch +
', platform=' +
process.platform +
- (!full ? '' : ', path=' + process.execPath) +
- ', argv=' +
- Util.inspect(process.argv).replace(/\n/g, '') +
- (!full ? '' : ', env=' + Util.inspect(process.env).replace(/\n/g, ''))
+ (!full ? '' : ', path=' + process.execPath)
var when = new Date()
> Select Y or N for the following statements:
> Hunter’s comments and funny memes goes here
Access to cloud accounts. I got a 55$ bill out of this.