search

Infisical / infisical

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI
https://infisical.com
Other
15.03k stars 858 forks source link

[ENG-200] [SECURITY]: do not read secrets from env vars #1104

Open happysalada opened 11 months ago

happysalada commented 11 months ago

Feature description

a process environment is accessible by other processes. Storing any secrets into the environment means those can be been by other processes. Docker and systemd have special mechanism for reading secrets (docker secrets, systemd credentials).

implementation details

All the env vars that should be replaced with their _FILE counterpart and the secret should be read from a file path. (this is how both docker secrets and systemd credentials work). The transition path is a bit tricky.

Why would it be useful?

Preventing a security hole where an attacker gains control of a separate process and reads the secrets in this app.

Additional context

I'm considering packaging this for nixos and came across this issue. I understand that security features can't be a priority for small teams, so no worries if this doesn't become a priority. Just thought I would drop this for when this can be tackled. Thanks a lot for starting this repo, the open source community needs something like this!

From SyncLinear.com | ENG-200

akhilmhdh commented 11 months ago

@happysalada i am bit confused when you stated a process.env is accessible by another process.

The cli injects the env not into process.env but rather into a terminal session or a thread. So only the connecting program can read the environment variable not any other process

happysalada commented 11 months ago

Im talking about the secrets to run the infisical app (not all the secrets handled by the app). As part of the process env , they are all accessible under /proc by other processes

akhilmhdh commented 11 months ago

Ohh got it.

CC: @maidul98

happysalada commented 10 months ago

from the .env.example, here are the secrets that I've noticed

ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin
REDIS_URL=redis://redis:6379
MONGO_USERNAME=root
MONGO_PASSWORD=example

Would you be open if I made a PR that choose to either read those secrets from ENV_VAR_FILE or ENV_VAR ? (so for example MONGO_USERNAME_FILE or MONGO_USERNAME).

maidul98 commented 10 months ago

@happysalada feel free to open a PR and we will get it reviewed