NodeJS 0.8.x May Leak Your Environment Variables

NodeJS up to 0.8.x will, under some circumstances dump your environment variables into a file which you may inadvertently check into source control. If you have sensitive information stored in your environment, it will be exposed when you publish the repository.

If you've used NodeJS to build any of your projects, particularly if they're open-source, search for a file called .lock-wscript under your node-modules directory. If it exists it will probably contain a dump of your environment variables.

This happened to me and I only found out about it when Amazon notified my client that her AWS credentials had been compromised and gave her a link to a file under my Github account. Not a great look. Fortunately, that gave me a chance to invalidate the credentials before any harm was done.

Since then, I've taken the following steps:

• 23 Apr 2014 - Reported the issue to cert.org (they declined to publish it)
• 24 Apr 2014 - Emailed security@github.org (received no response Github will add .lock-wscript to their standard .git-ignore)
• 24 Apr 2014 - Emailed security@nodejs.org (who have responded with a security patch)
• 6 May 2014 - Published this blog entry and notified the NodeJS mailing list

Fedor from the NodeJS team responded with this patch. I haven't tested it because I'm not actually using 0.8.x any more and, to me, the real issue is that there are existing published repositories with people's environment variables dumped in them.

Should it matter?

The existence of this file isn't news. Presumably a lot of people knew that it contained environment variables and didn't think it was a problem. Others, including myself, were under the mistaken impression that environment variables are private and are a reasonable place to store sensitive information such as security keys.

The combination of these two assumptions (by separate parties) can, and in my case did, lead to sensitive data being exposed.

For my part, if I do use the environment to ship sensitive information around in future, I won't be exporting it from my shell.

Recommended Actions

My personal recommendations for what you should do:

 - Check your own repositories for .lock-wscript files and invalidate any keys contained within.

 - Add .lock-wscript to your global .git-ignore

 - Review the environment that your shell is passing to every program you run and move anything sensitive into a more local scope.

 - Tell your friends about this if they might be affected.

Updates:

8 May 2014 - Github security are adding .lock-wscript to their standard .git-ignore file.