feat(config): support Docker Compose _FILE secrets for env vars#5529
feat(config): support Docker Compose _FILE secrets for env vars#5529themavik wants to merge 2 commits intoInfisical:mainfrom
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Greptile SummaryAdded Key Changes:
Critical Security Issue: Additional Issues:
Confidence Score: 1/5
Important Files Changed
Last reviewed commit: 8ae642e |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| function resolveDockerSecrets() { | ||
| for (const [key, filePath] of Object.entries(process.env)) { | ||
| if (!key.endsWith("_FILE") || !filePath) continue; | ||
| const baseKey = key.slice(0, -5); | ||
| if (process.env[baseKey]) continue; | ||
| try { | ||
| process.env[baseKey] = fs.readFileSync(filePath, "utf8").trim(); | ||
| } catch { | ||
| // Intentionally silent — downstream Zod schema will report missing required variable | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Critical Path Traversal Vulnerability
Bad actors can use any *_FILE env var to read arbitrary files from the filesystem using path traversal patterns. An attacker with control over environment variables (e.g., through container orchestration misconfigurations, CI/CD injection, or compromised deployment configs) could:
- Exfiltrate sensitive files by setting them as config values that get logged or transmitted
- Read application secrets from other locations on the filesystem
- Access system files like private keys or database configs
Required Fix: Restrict file paths to allowed directories (e.g., /run/secrets/, /var/run/secrets/). Use path.resolve() to get absolute paths and verify they start with an allowed directory prefix before reading.
| const baseKey = key.slice(0, -5); | ||
| if (process.env[baseKey]) continue; | ||
| try { | ||
| process.env[baseKey] = fs.readFileSync(filePath, "utf8").trim(); |
There was a problem hiding this comment.
Missing file size limit allows reading extremely large files into memory, potentially causing DoS. Add max file size check (e.g., 1MB limit) before readFileSync.
| } catch { | ||
| // Intentionally silent — downstream Zod schema will report missing required variable | ||
| } |
There was a problem hiding this comment.
Silent error handling hides critical issues. If an attacker provides an invalid path, you won't know whether the file doesn't exist or if there's a permission issue. Consider logging errors or at least distinguishing between ENOENT and EACCES.
| /** | ||
| * Resolve Docker Compose / Swarm _FILE-suffixed env vars. | ||
| * For every env var that ends with _FILE, read the file it points to and | ||
| * set the base env var (without the suffix) to the file contents — unless | ||
| * the base var is already explicitly set. | ||
| * Example: ENCRYPTION_KEY_FILE=/run/secrets/enc_key → ENCRYPTION_KEY=<file contents> | ||
| */ |
There was a problem hiding this comment.
How will customers discover this _FILE suffix feature? No documentation found in the /docs folder for Docker secrets or _FILE environment variables.
2 participants
Adds resolveDockerSecrets() to read _FILE environment variables, enabling Docker Compose secrets support for sensitive configuration.