-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi-variable destructuring breaks when working with webpack 3 #70
Comments
@evisong Very interesting find. A brief history of this plugin: We actually used to do what you have recommended (see PR #42), but by defining a single property as i.e. env
script.js console.log(process.log.NOTASECRET) bundle.js console.log({"NOTASECRET":"123","SECRET":"321"}.NOTASECRET) While there are many approaches that can solve this with different levels of effort, we opted to steer away from "white-listing" variables and such and just letting you expose what you choose in your code. Let me do a little more investigating since webpack have changed the bundling mechanics since we last looked at this. Anyone else interested feel free to chime in as well. |
I can confirm your suggestion would leak the data, however you are completely right in saying that the current approach does not support destructors due to the bundling methods. I have added all of my test files to the dotenv-webpack-example repo you can review either below or view the source at https://github.com/mrsteele/dotenv-webpack-example. GoalsOur goals are consistent between the test cases:
Consistent Test FilesThe following files were consistent between the test cases. env
script.js const { TEST, TEST2 } = process.env
document.querySelector('body').innerHTML = `
Structured: ${process.env.TEST}<br />
Destructured: ${TEST}<br />
<hr />
Structured: ${process.env.TEST2}<br />
Destructured: ${TEST2}<br />
` @evisong's Suggested ApproachThis approach is to pull all the variables to be defined from the environment into a single property Goals
bundle.js...
var _process$env = Object({"TEST":"Works!","TEST2":"Yes!","TEST_SECRET":"nope"}),
TEST = _process$env.TEST,
TEST2 = _process$env.TEST2;
document.querySelector('body').innerHTML = '\n Structured: ' + "Works!" + '<br />\n Destructured: ' + TEST + '<br />\n <hr />\n Structured: ' + "Yes!" + '<br />\n Destructured: ' + TEST2 + '<br />\n';
... Current ApproachThe current approach (latest in prod) defines a key-value pair object that prefixes Goals
bundle.js...
var _process$env = process.env,
TEST = "Works!",
TEST2 = "Yes!";
document.querySelector('body').innerHTML = '\n Structured: ' + "Works!" + '<br />\n Destructured: ' + TEST + '<br />\n <hr />\n Structured: ' + "Yes!" + '<br />\n Destructured: ' + TEST2 + '<br />\n';
... I'm all ears for suggestions. Of course the suggested workaround would just be to define your variables explicitly since that currently works and doesn't pose a security threat for your application. |
@mrsteele your comments is very detailed & professional, thanks, I also look forward to any others' feedback. Btw, do you think it's a good idea to submit our use case to webpack? The key is that it used to work well with webpack 2. |
@evisong thanks and I appreciate the feedback. I think it may be worth mentioning to webpack. We have definitely done the research beforehand and we can use the previous ticket you mentioned above as a guide as well. The time may be soon approaching where we have to circumvent |
Happen to find that I was using [email protected] previously with webpack 2, and the 893d0d0 security fix is introduced in 1.4.3. So this issue should also apply to all webpack versions, right? The current workaround is working well: const { DB_HOST } = process.env;
const { DB_PASS } = process.env; |
Workarounds are great, but I think the original issue still stands:
|
This prevents me from doing things like:
|
@33Fraise33 I understand the frustration, unfortunately this is a complication in the way I opted to keep things they way they are for the purposes of security and not accidentally leaking any information out that you don't wanna leak. |
Not sure if webpack allows this, but could it be possible to do a two-pass scan? This way the first one could search for all the environment variables used in the object destructure, and later do the white-list of them... |
Hey everyone, I wanted to ask if this was still a problem. I just did a test on my mrsteele/dotenv-webpack-example@947cb5c app to see if this was still a problem and it looks like the latest version of webpack has destructing working just fine. Can anyone else confirm? |
Maybe asking to |
It worked for me. It loaded just fine all the variables I referenced and didn't leak anything out so I imagine there is some magic transpiling/tree-shaking going on that resolved this on there end. @piranna have you tried to upgrade webpack and babel? |
My bundle.js still contains
Splitting the multi-variable destructuring into separate assignments avoids this problem, as suggested |
I'm using
Still can not do:
But yeah the wordaround mentioned here works. |
I'm using |
I just stumbled on the same issue where the line below works:
Whereas the line below throws the
The workaround below does indeed work but doing this mostly defeats the purpose of destructuring:
Even worse, if you
This seems extremely counter intuitive and confusing from a developer's perspective and I'm sure this has and will continue to trip up developers because of understandable assumptions. If you want to drive a developer crazy, it looks like you found an effective method. If you can access |
I think we can close this and focus on webpack 5 |
Can there be any fix for this issue in Webpack 5? |
I have noticed this works intermittently in webpack 5. I think some of the gatchas mentioned above are the reasonings. I do know with webpack 5 we have to be careful about the "target" property from webpack to make sure we are targeting a web environment when we build. Since this plugin uses Alternatively, we could look at using something other than new Dotenv({
envVarName: 'process.env' // The default, but maybe we could configure it? Perhaps there is too much complexity for DefinePlugin to read from this variable...
}) |
I do not recommend destructuring |
@sibelius what do you propose? |
create a export const config = {
API_URL: process.env.API_URL,
}; always consume process.env from that file, so you can destructure if needed |
Anyway to make the destructuring? |
I had used it in webpack 5+ but found it didn't work still. I think they don't think the destructuring is a good idea at all. So...As you can see anyone give up for using the function anymore. |
Hi, team,
Found an interesting bug:
Issue
Using [email protected] and [email protected],
Use the vars in JS:
Would cause runtime error:
Expected
It should replace both vars at compile time.
Possible Root Cause
I believe this issue is caused by webpack/webpack#5215
So I changed the JS to:
It works well as expected.
I debugged the plugin and found that the underlying
formatData
(https://github.com/mrsteele/dotenv-webpack/blob/master/src/index.js#L63) transferred towebpack.DefinePlugin
is:However the format that recommended in webpack/webpack#5215 (comment) is:
So I guess a minor fix in
dotenv-webpack
would solve the issue.However, I think it ought to be a
webpack.DefinePlugin
regression bug, since it the currentformatData
used to work well with webpack 2.What do you think? Thanks.
The text was updated successfully, but these errors were encountered: