Closed kasvith closed 1 year ago
Hi @kasvith, The process.env values are access and will remain only at client side. This will not be sent to twilio servers. The values that will be accessed from process.env are TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_EDGE, TWILIO_REGION, TWILIO_LOG_LEVEL. None of the process.env values are included as part of any of the api calls which send data to twilio servers
There is absolutely no reason why you need to store and expose the entire process.env
. Please fix this ASAP.
Here is exactly what needs done:
This PR/branch needs merged https://github.com/twilio/twilio-node/tree/process_env_change or one of these https://github.com/twilio/twilio-node/pulls?q=is%3Apr+is%3Aopen+process.env
A new patch SemVer version needs published on GitHub and npm.
All previous versions need deprecated. A developer with npm access to the "twilio" package on npm needs to run the command npm deprecate twilio@"<1.2.3" "Please upgrade to v1.2.3+ as we have resolved an issue that exposes the process.env object to loggers."
and replace the SemVer version 1.2.3 with the latest published version.
Hi @kasvith, This issue has been fixed and merged to use only required twilio specific values from process.env instead of loading them all. The changes will be available from next release.
@titanism , If any other change needs to be done, please open a new issue Thanks, Athira
@AsabuHere can you please deprecate older versions?
npm deprecate twilio@4.12.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.11.2" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.11.1" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.11.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.10.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.9.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.8.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.7.2" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.7.1" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.7.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
Ref: https://www.npmjs.com/package/twilio?activeTab=versions
Issue Summary
Currently, Twilio SDK Client sends
process.env
of the current process to the Twilio servers by default. Most people are usingprocess.env
to store sensitive data like passwords/secrets etc. Since the Twilio client sends these data to the backend using default settings people may unknowingly send sensitive information to Twilio servers.This is a security vulnerability that must be resolved immediately.
Code: https://github.com/twilio/twilio-node/blob/972358a298b1ebfaeddffe913b7b9768e2969a95/src/base/BaseTwilio.ts#L78
Technical details: