Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

config.gypi file contains envinroment variables including proxy authentication credentials #538

Closed
animedbz16 opened this issue Nov 21, 2014 · 2 comments

Comments

@animedbz16
Copy link

Essentially, I need to set my http_proxy environment variable in order to connect to the internet via our proxy server to install modules via npm.

I recently noticed that for a specific module there was a build/config.gypi file that appears to actually contain my proxy environment settings, which seems to be a security issue.

Just wanted to follow this up here since this issue may have not been related to the original module where I had opened an issue. More information can be found there:

websockets/ws#400

@Trott
Copy link
Member

Trott commented Apr 15, 2018

@nodejs/node-gyp Should this remain open?

@bnoordhuis
Copy link
Member

Depends on whether it's harmful. node-gyp doesn't store the http_proxy environment variable, it stores the npm_config_* variables (from .npmrc and the command line) that npm passes to node-gyp. That's used to pass additional build options so that can't be removed.

We could filter specific variables but that might still break some add-ons. You don't normally redistribute config.gypi so I don't really see the harm in leaving it as-is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants