Blog

ColdBox Elixir v3 Security Update

Eric Peterson January 22, 2021

Spread the word

Eric Peterson

January 22, 2021

Spread the word

Share your thoughts

Ortus Solutions

On January 12, 2021 we became aware of a security vulnerability in ColdBox Elixir. If an application using ColdBox Elixir bundled any code that contained references to process.env without explicitly setting the value using the webpack.ProvidePlugin then the outputed bundle would contain an object of all the environment variables. This would happen even if it was a vendor library that checked for process.env.* which is very common - many libraries check for process.env.NODE_ENV to enable optimizations or additional development logging. Since JavaScript is shipped to user's browsers, these environment variables are leaked and should be considered comprimised. Many of our own environment variables used in our CI processes were leaked, including SSH keys, S3 credentials, and database credentials. We recommend that you rotate all keys that are in the environment resposible for bundling your code with ColdBox Elixir.

ColdBox Elixir v3.1.7 and later were released to patch this vulnerability. We urge you to upgrade right away. Note that all referenced environment variables (via process.env) need to be explicitly declared in your Elixir config file, whether referenced by your own application code or third-party dependencies. We've added two features to make this transition easier.

First, automatic NODE_ENV environments. Elixir will provide a NODE_ENV value to your bundled code based on the current Elixir environment. If you desire to control this manually, setting a NODE_ENV in your environment will take precedence.

Second, a mix.env method. This method takes an array of environment keys to provide to your bundled code. If any of the keys are missing, your build will fail. Alternatively, you can provide an object with keys being the environment variable name and the value being a fallback value if the key is missing. This method passes directly to webpack.EnvironmentPlugin, so all the features listed for that plugin apply.

We deeply regret this security vulnerability and any additional work it has caused you. Please upgrade ColdBox Elixir and rotate your secrets straightaway.

Add Your Comment

Recent Entries

Ortus June 2024 Newsletter!

Ortus June 2024 Newsletter!

Welcome to the latest edition of the Ortus Newsletter! This month, we're excited to bring you highlights from our sessions at CFCamp and Open South Code, as well as a sneak peek into our upcoming events. Discover the latest developments in BoxLang, our dynamic new JVM language, and catch up on all the insightful presentations by our expert team. Let's dive in!

Maria Jose Herrera
Maria Jose Herrera
June 28, 2024
BoxLang June 2024 Newsletter!

BoxLang June 2024 Newsletter!

We're thrilled to bring you the latest updates and exciting developments from the world of BoxLang. This month, we're diving into the newest beta release, introducing a new podcast series, showcasing innovative integrations, and sharing insights from recent events. Whether you're a seasoned developer or just getting started, there's something here for everyone to explore and enjoy.

Maria Jose Herrera
Maria Jose Herrera
June 28, 2024
BoxLang 1.0.0 Beta 3 Launched

BoxLang 1.0.0 Beta 3 Launched

We are thrilled to announce the release of BoxLang 1.0.0-Beta 3! This latest beta version is packed with exciting new features and essential bug fixes, including robust encryption functionality, enhanced Java interoperability, and more efficient event handling. Key highlights include the introduction of query caching capabilities, seamless coercion of Java Single Abstract Method (SAM) interfaces from BoxLang functions, and support for virtual thread executors. So, let’s dive into the details of what’s new in BoxLang 1.0.0-Beta 3 and how you can start leveraging these updates today!

Luis Majano
Luis Majano
June 28, 2024