Potential risk of credential leaks due to misconfiguration of NextJS

singlelink-co / Singlelink

The open-source Linktree alternative.

https://singlelink.co

GNU General Public License v3.0

550 stars 117 forks source link

Potential risk of credential leaks due to misconfiguration of NextJS #256

Open itsderinger opened 1 year ago

itsderinger commented 1 year ago

Hi @jimmybisenius,

There might be a misconfiguration in the nextjs.config.js file: In its current state, it seems that all env variables are exposed to the JavaScript bundle (and consequently the client). If correct, the following environment variables could be at risk of getting leaked: DB_USER, DB_PASSWORD, SECRET, and PASSWORD.

Source: https://nextjs.org/docs/api-reference/next.config.js/environment-variables

jimmybisenius commented 1 year ago

Good issue, cc @saraspaudel