`env` should not be assigned to `process.env`

twilio / twilio-node

Node.js helper library

MIT License

1.39k stars 509 forks source link

`env` should not be assigned to `process.env` #938

Closed titanism closed 1 year ago

titanism commented 1 year ago

node_modules/twilio/lib/base/BaseTwilio.js
36:            this.env = this.opts.env || process.env;

This line exposes the entire process.env to the client, which is unnecessary.

Without explicitly setting env option, it sets this entire object in memory.

If someone were to log the client object, then this too would be exposed, which is a security issue.

Please remove change this line of code:

-this.env = this.opts.env || process.env;
+this.env = this.opts.env || {};

titanism commented 1 year ago

Additional comments at https://github.com/twilio/twilio-node/pull/939

titanism commented 1 year ago

Temporary workarounds to monkey-patch:

const client = twilio(accountSid, authToken, { env: {} });

Or:

const client = new twilio.Twilio(accountSid, authToken, { env: {} });

Or:

const client = twilio(accountSid, authToken);
client.env = {};

titanism commented 1 year ago

Duplicate of #933, #932, #931, #933, #932

AsabuHere commented 1 year ago

Hi @titanism, I have merged the fix for this issue to refer only twilio specific required values from process.env and not loading all of them. Fix will be available from next release Thanks, Athira