Should ENV tag be accessible from content?

[aryehraber]

Describe the bug This isn't strictly a bug, as I'm sure it's currently working as intended, but I'm more concerned about the security implications.

A great Statamic feature is being able to use tags from within content, eg:

content/pages/index.md

---
title: Home
---
The page title is: {{ title }}

Having said that, a user can also use this method to retrieve .env variables, eg:

.env

SECRET_THING=super_secret_sshhh

content/pages/index.md

---
title: Home
---
The page title is: {{ title }}
Secret thing: {{ env:SECRET_THING }}

Granted they would need to know the key being used, but there's a few obvious ones for certain configs.

To me, one of the major reasons for moving API keys to .env is to keep it out of the site/content managers hands, with the above method they can still gain access. Most clients I've worked with are trustworthy, but that may not always be the case. Additionally, sites that allow user signup and give (restricted) CP access can also take advantage of this.

[edalzell]

How do you propose this be addressed?

[jasonvarga]

That's a tough one.

You could prevent parsing tags, but that would prevent all tags being parsed. We could add an option to just disable the env tag completely.

[aryehraber]

Yeah I figured it'd be a hard problem to solve.

I opened this issue to make you aware of it (incase you weren't already) and to see if there were any options/ideas.

Optionally disabling the env tag would an interesting idea. That way .env variables would only be accessible through code (addons/helpers), but not via templates/content — unless via an addon/helper that parsed a specific variable.