Meteor-feature-requests: Console logging settings with "Error: METEOR_SETTINGS are not valid JSON" should be optional, to prevent leaking credentials to log processors etc.

Created on 26 Apr 2018  路  3Comments  路  Source: meteor/meteor-feature-requests

Problem

When the Meteor application starts it reads the environment variable METEOR_SETTINGS. If that exists but isn't valid JSON the app will log the content of METEOR_SETTINGS to the console. In many production systems logs from the application will be forwarded to various logging systems, sometimes third party ones. All credentials in your settings will be leaked if you have any errors in your json.

Suggested solution

Use an environment variable to decide if you want to log the entire content of METEOR_SETTINGS, or just log the error message "METEOR_SETTINGS are not valid JSON", without the actual settings. If it defaults to logging the settings it will be backwards compatible (although I think the default should gravitate towards security, I'd rather see this implemented quickly, so no breaking changes is probably better).

The only alternatives I can see as of now is to use another program to validate the JSON before the app starts. This is fairly annoying, especially when using docker since that would expect the app to run as PID 1. One could also parse the logs and only forward logs that aren't settings, but that's just... hard.

Minor changes here would do it.

JS Environment confirmed pull-requests-encouraged

Most helpful comment

Landed via https://github.com/meteor/meteor/commit/b6a385dfb2bc1e565bb5c0f5ddf6cdc5796a95df in meteor/meteor#9843. Thanks @datacarl!

I expect this will surface in Meteor 1.7.

All 3 comments

Good point @datacarl. I'm all for keeping this simple and just changing

throw new Error("METEOR_SETTINGS are not valid JSON: " + process.env.METEOR_SETTINGS);

to

throw new Error("METEOR_SETTINGS are not valid JSON.");

Dumping process.env.METEOR_SETTINGS doesn't really add much value. pull-requests-encouraged - thanks!

Great, will submit a PR!

Landed via https://github.com/meteor/meteor/commit/b6a385dfb2bc1e565bb5c0f5ddf6cdc5796a95df in meteor/meteor#9843. Thanks @datacarl!

I expect this will surface in Meteor 1.7.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

vladejs picture vladejs  路  6Comments

vblagomir picture vblagomir  路  4Comments

jankapunkt picture jankapunkt  路  5Comments

danrubins picture danrubins  路  3Comments

chasemaier picture chasemaier  路  5Comments