Closed kasvith closed 1 year ago
AsabuHere
commented
1 year ago Hi @kasvith, The process.env values are access and will remain only at client side. This will not be sent to twilio servers. The values that will be accessed from process.env are TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_EDGE, TWILIO_REGION, TWILIO_LOG_LEVEL. None of the process.env values are included as part of any of the api calls which send data to twilio servers
titanism
commented
1 year ago There is absolutely no reason why you need to store and expose the entire process.env. Please fix this ASAP.
Here is exactly what needs done:
This PR/branch needs merged https://github.com/twilio/twilio-node/tree/process_env_change or one of these https://github.com/twilio/twilio-node/pulls?q=is%3Apr+is%3Aopen+process.env
A new patch SemVer version needs published on GitHub and npm.
All previous versions need deprecated. A developer with npm access to the "twilio" package on npm needs to run the command npm deprecate twilio@"<1.2.3" "Please upgrade to v1.2.3+ as we have resolved an issue that exposes the process.env object to loggers." and replace the SemVer version 1.2.3 with the latest published version.
AsabuHere
commented
1 year ago Hi @kasvith, This issue has been fixed and merged to use only required twilio specific values from process.env instead of loading them all. The changes will be available from next release.
@titanism , If any other change needs to be done, please open a new issue Thanks, Athira
titanism
commented
1 year ago @AsabuHere can you please deprecate older versions?
npm deprecate twilio@4.12.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.11.2" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.11.1" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.11.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.10.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.9.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.8.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.7.2" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.7.1" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
npm deprecate twilio@4.7.0" "Please upgrade to v4.13.0+ as we have resolved an issue that exposes the process.env object to loggers @ https://github.com/twilio/twilio-node/issues/931"
Ref: https://www.npmjs.com/package/twilio?activeTab=versions
Issue Summary
Currently, Twilio SDK Client sends
process.envof the current process to the Twilio servers by default. Most people are usingprocess.envto store sensitive data like passwords/secrets etc. Since the Twilio client sends these data to the backend using default settings people may unknowingly send sensitive information to Twilio servers.This is a security vulnerability that must be resolved immediately.
Code: https://github.com/twilio/twilio-node/blob/972358a298b1ebfaeddffe913b7b9768e2969a95/src/base/BaseTwilio.ts#L78
Technical details: