Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not use environment variables by default - security issue #30

Open
FlipSky opened this issue Nov 28, 2020 · 1 comment
Open

Do not use environment variables by default - security issue #30

FlipSky opened this issue Nov 28, 2020 · 1 comment

Comments

@FlipSky
Copy link

FlipSky commented Nov 28, 2020

Please exclude support for environment variables in the templates (the .Env.* insertions according to the documentation). This can expose a lot of unintentional information (just run set in your shell to see what is available).

Preferred behaviour:

  1. Change default value of --no-sys-env to true (or rename option).
  2. Remove all support for system environments and only accept definitions from --env, --json or --load.

Simple work around is to add --no-sys-env parameter.
@FlipSky FlipSky changed the title Do not use environment variables - security issue Do not use environment variables by default - security issue Nov 28, 2020
@subchen
Copy link
Owner

subchen commented Dec 3, 2020

This will bring to backward compatibility problems, need update in next major version release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@subchen @FlipSky