Environment variable access
Severity
Low
Short Description
Package accesses environment variables, which may be a sign of credential stuffing or data theft.
Packages
View packages with this alert.Suggestion
Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Information
The Environment Variable Access alert is triggered when a dependency accesses environment variables using methods like process.env in Node.js, os.environ in Python, or similar functions in other programming languages. Accessing environment variables can put sensitive data at risk, such as API keys, database credentials, or personal data.
Some of the flagged dependencies perform dynamic environment variable usage, where they dynamically construct environment variable names or access patterns. This may obscure what data is being accessed.
It's important to be aware of packages that handle credentials or tokens through environment variables without proper encryption or security measures.
Recommended actions
- Review Affected Package to Understand Its Functionality: Consult the package’s documentation to understand why it requires access to environment variables.
- List Accessed Variables: Identify which environment variables the package is accessing.
- Assess Necessity: Determine if the access to these variables is essential for the package’s functionality.
- Check for Sensitive Data: Ensure that no sensitive information (e.g., API keys, passwords) is being exposed or mishandled.
- Limit Permissions: Ensure that the package only has access to the necessary environment variables it needs.
- Use Principle of Least Privilege: Grant the minimum required permissions to the package to reduce potential security risks.
- Consider Alternatives: If the package’s environment variable access is not necessary or poses too much risk, consider using alternative packages that offer similar functionality with better security practices.
Examples
Here's an example where a package is using process.env in multiple instances, which triggered the Environment Variable Access alert:
Detection Method
The Environment Variable Access alert heuristic detects when a package accesses environment variables by scanning the code for the use of environment variable access methods, such as process.env in Node.js, os.environ in Python, or equivalent functions in other programming languages.