Questions tagged [environment-variables]
36 questions
2
votes
0 answers
Node.js ENV VAR Security
Recently I had a debate with a fellow dev about where to store Node.js env vars.
I always use .env files and load these as proper ENV VARs at runtime, however my fellow dev uses JSON config files and loads them in as runtime variables to the Node.js…
TrickyDupes
- 2,809
- 1
- 13
- 27
2
votes
0 answers
Is there anything inherently insecure in setting a custom environment variable to a request parameter?
Imagine I have the following rails endpoint:
def configure_welcome_message
ENV['myapp_welcome_message'] = params[:welcome_message]
end
Aside from the fact that this is an inane way to set a welcome message, is there anything inherently insecure…
Devon Parsons
1
vote
1 answer
Details: snoop environment variables using D-Bus IPC
The page at: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Environment says:
Environment variables set for a unit are exposed to unprivileged clients via D-Bus IPC [...]
I don't have much experience with stuff as low-level as…
Jeff Hemmen
- 11
- 2
1
vote
0 answers
Can modifying environment variables in Windows cause vulnerability?
As normal user, if you open the Edit Environment Variable setting in Windows, you will get this:
As you can see, the %path% variable that available for an user is a combination of %path% set globally as System variables and %path% set locally for…
raspiduino
- 111
- 4
1
vote
1 answer
SUID Priv Escalation - LD_LIBRARY_PATH versus ldconfig and /etc/ld.so.conf
Background
Currently doing some vulnservers on Offensive Security's Proving Grounds Practice Labs. A vulnserver is a machine configured with vulnerabilities for testing/audit and research purposes.
I came across a machine that had a cronjob running…
0x5929
- 335
- 4
- 13
1
vote
1 answer
How to globally enable ld.so secure-execution mode for all applications?
Quote https://manpages.debian.org/buster/manpages/ld.so.8.en.html#Secure-execution_mode
Secure-execution mode
For security reasons, the effects of some environment variables are voided or modified if the dynamic linker determines that the binary…
adrelanos
- 680
- 7
- 21
1
vote
0 answers
Digital Ocean ENV Variables - .env file, ENV Variables, or something else
Does Digital Ocean have something similar to Credstash or AWS Secrets Manager (both AWS services)?
Trying to decide on the most secure way to store environmental variables with sensitive information (like database access codes, for…
SethGoodluck
- 111
- 1
1
vote
1 answer
Getting data from AWS Secrets Manager at deployment (ENV variables) vs. at run-time (e.g. aws-sdk)
Given a serverless deployment of some kind (i.e. something that relies on AWS Lambda for computing), and secrets stored in AWS Secrets Manager, what difference from security standpoint is there between the following two options:
reading secrets…
Ilya Ayzenshtok
- 143
- 4
1
vote
1 answer
Handling secrets and environmental variables in Docker-k8s-skaffold dev environment
Basically, trying to wrap my brain around how I should be handling secrets using Docker, k8s, and Skaffold in a dev environment. I'm pretty new to this tech, so don't fully understand all of it.
Just not sure if I should be using a .env, or…
cjones
- 223
- 2
- 7
1
vote
1 answer
Securing Code Secrets - What is the relevance if the host gets compromised?
I've been researching and testing different approaches when it comes to securing code secrets, and am unsure what the best options are, and if they even have any relevance once a host gets compromised.
Some standard approaches I've read about…
R. StackUser
- 135
- 4
1
vote
0 answers
Trust boundaries for webapps (vs desktop apps)
I am currently working on fixing some security problems with our webapp as reported by VeraCode. Some of these pertain to "trust boundaries", i.e, what inputs can be trusted.
In some cases, our problems appear to be due to our reading of Java…
kc2001
- 117
- 6
1
vote
2 answers
Shellcode does not execute as the owner
(This is a question regarding a challenge in a wargame on overthewire.org called Narnia)
Here is the source code of the vulnerable script "narnia1" I intend to exploit:
#include
int main(){
int (*ret)();
if(getenv("EGG")==NULL){ …
Lowell
- 11
- 2
1
vote
0 answers
Password as environment variable- is it a good idea?
Is it possible in Unix/Linux to access environment variable from another sessions. For instance
export MYPASSWORD = 'MySecretPassword"
would it be possible by another user on the same machine to access it?
From my understanding, the password will…
Alex
- 412
- 1
- 8
- 14
1
vote
1 answer
How to handle sensitive data like API-keys and DB passwords on production
I'm setting up a development and production environment for a web application. It uses some remote APIs for which you need a key to access them. You don't want those in your code, as well as the database credentials.
I have done some research and…
NG.
- 115
- 1
- 6
1
vote
2 answers
ENV exports in docker entry_point.sh that is ran from CI
Assuming I have the following line in Django settings:
OKPAY_API_KEY = os.environ.get('Ok_PAY_API_KEY')
Then import it to my build process in wercker CI
And then write this var to the entrypoint.sh of my container in the build step of wercker. the…
Oleg Belousov
- 391
- 3
- 9