You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
app-vite v2 and app-webpack v4 and added env dotfiles support. Environment variables from .env files are automatically exposed to the app by default. This happens unless the developer explicitly uses the envFilter option, which is optional and not specifically encouraged or clarified.
This differs from other tools like Vite and Vue CLI, which require explicit exposure or a prefix (e.g., VITE_*, VUE_*) to make environment variables available to the app. Exposing variables without a clear strategy can increase the risk of accidentally leaking sensitive data, especially due to sneaky nested/transitive third-party dependencies.
Proposed Solutions
For Now (Non-Breaking)
Scaffolding with a sensible default
Scaffold envFilter option with a sensible default(_e.g. with a logic filtering QCLI_ prefix_) in newly created apps:
This would ensure environment variables are only exposed when explicitly defined by the developer. This would align Quasar CLI with the best practices of other frameworks and improve security without breaking any existing functionality.
envFilter: (env)=>Object.fromEntries(Object.entries(env).filter(([key])=>key.startsWith('QCLI_')),// or QAPP_, QUASAR_, etc.),// alternativeenvFilter: (env)=>{const allowedKeys =['FOO','BAR']returnObject.fromEntries(Object.entries(env).filter(([key])=>allowedKeys.includes(key)),);},
Improve Documentation
This potential security risk should be clearly mentioned. The developers should be encouraged to use the envFilter option. We can list the potential code solutions shown above. We also need to update the upgrade guides which mention this feature, accordingly.
Inform existing users
We should make announcements to notify the existing users about this situation and encourage them to update their logic accordingly.
For the Future (Breaking Change)
Do not expose any env variables by default. Only expose the variables prefixed with a prefix, e.g. QCLI_*.
This would be a breaking change and would likely require a major version update, as it would change the default behavior for handling environment variables. It's rather important and rather easy to update since people usually won't have a crazy amount of env variables and it's easy to search and replace. So, it might be possible to do this without a major version, even though it might be annoying.
The text was updated successfully, but these errors were encountered:
app-vite v2 and app-webpack v4 and added env dotfiles support. Environment variables from .env files are automatically exposed to the app by default. This happens unless the developer explicitly uses the
envFilteroption, which is optional and not specifically encouraged or clarified.This differs from other tools like Vite and Vue CLI, which require explicit exposure or a prefix (e.g., VITE_*, VUE_*) to make environment variables available to the app. Exposing variables without a clear strategy can increase the risk of accidentally leaking sensitive data, especially due to sneaky nested/transitive third-party dependencies.
Proposed Solutions
For Now (Non-Breaking)
Scaffolding with a sensible default
Scaffold
envFilteroption with a sensible default(_e.g. with a logic filteringQCLI_prefix_) in newly created apps:This would ensure environment variables are only exposed when explicitly defined by the developer. This would align Quasar CLI with the best practices of other frameworks and improve security without breaking any existing functionality.
Improve Documentation
This potential security risk should be clearly mentioned. The developers should be encouraged to use the
envFilteroption. We can list the potential code solutions shown above. We also need to update the upgrade guides which mention this feature, accordingly.Inform existing users
We should make announcements to notify the existing users about this situation and encourage them to update their logic accordingly.
For the Future (Breaking Change)
Do not expose any env variables by default. Only expose the variables prefixed with a prefix, e.g.
QCLI_*.This would be a breaking change and would likely require a major version update, as it would change the default behavior for handling environment variables. It's rather important and rather easy to update since people usually won't have a crazy amount of env variables and it's easy to search and replace. So, it might be possible to do this without a major version, even though it might be annoying.
The text was updated successfully, but these errors were encountered: