Security Flaw: env vars easily extractable by non-authorized devs

Hey guys,
Really appreciate netlify’s mission on making our dev life easier.

Handling env vars and secret API keys can be challenging, that’s why you suggest to put sensitive vars into the Netlify’s env UI interface so only admin level users can see/change these instead of everyone with access to the repo.

However, your netlify.toml file uses a hierarchical override, which makes it super easy for non-authorized devs with access to any branch to extract production level API keys.

They only need to delete the branch overrides in the config file, and print the values somewhere in the code of their local build.

comment this:
Screenshot 2021-05-01 at 20.53.47

Done, all secrets revealed.
Screenshot 2021-05-01 at 20.16.32

I would urge netlify to add restrictions in the admin UI to avoid trickling production keys down stream, make env keys independent of each other or use a reverse hierarchal order where the lowest level keys are overridden by the highest (highest being netlify UI) to avoid this security leak.

PS: Netlify dev: ‘◈ Reloading redirect rules from [ ‘netlify.toml’ ]’ is logged, however netlify dev needs a full restart for effects in the config file to take effect

Hey @MentalGear,
Thanks for this report. In the future, we’d appreciate reports like this to go to security@netlify.com so our security team can investigate. We’ve unlisted this topic for the time being.

If I’m understanding the report correctly, you’re talking about the ability to clone a public repo and then use the CLI to print the environment variables from the site? We have not been able to reproduce this. Could you please share the public repo and Netlify site with env variables in the UI where you are testing this? Thanks!

I’m describing the situation where.

From your guide:

Before using Netlify Dev, you must authenticate and make sure your site is linked to a Netlify siteID . You can do that by setting up continuous deployment with netlify init or linking your site with netlify link .

Which would mean that devs that need netlify dev (for local production of serverless functions), would need to authenticate with netlify’s site, and which would mean they could extract the env set in netlify’s UI.

Hi, @MentalGear. I want to chime in here as well.

If you authenticate with the site in question at Netlify then, by definition, you can see the site settings for the site in the web UI at Netlify.

In other words, you seem to be saying you can see these environment variables when you are logged in using netlify dev. However, if so, this login is no different than the login to the web UI. If you can see the environment variables logged into the web UI then, yes, you will also be able to see them when logged in using netlify dev. Both login methods grant the full user permissions.

If you are saying something different, in order to proceed with this report, we require clear instructions to successfully reproduce the issue.

For example, those instructions might be:

  1. Create account one.
  2. Make new site, named “site-one”, and link that site to repo x.
  3. Add an environment variable to site-one.
  4. Create account two and make site-two under this new account linked to repo x.
  5. Enter “XYZ” as the build command and modify netlify.toml to include “ABC”.
  6. Login with netlify dev to account two.
  7. Trigger a build on site-two.
  8. See the environment variables for site-one shown for site-two.

Again, we don’t think this is possible. We’ve tried but we cannot reproduce it. However, if you can provide precise instructions which demonstrate that this is possible we will certainly take action. Are you able to provide those instructions?