On January 12, 2021 we became aware of a security vulnerability in ColdBox Elixir. If an application using ColdBox Elixir bundled any code that contained references to
process.env without explicitly setting the value using the
webpack.ProvidePlugin then the outputed bundle would contain an object of all the environment variables. This would happen even if it was a vendor library that checked for
process.env.* which is very common - many libraries check for
ColdBox Elixir v3.1.7 and later were released to patch this vulnerability. We urge you to upgrade right away. Note that all referenced environment variables (via
process.env) need to be explicitly declared in your Elixir config file, whether referenced by your own application code or third-party dependencies. We've added two features to make this transition easier.
NODE_ENV environments. Elixir will provide a
NODE_ENV value to your bundled code based on the current Elixir environment. If you desire to control this manually, setting a
NODE_ENV in your environment will take precedence.
mix.env method. This method takes an array of environment keys to provide to your bundled code. If any of the keys are missing, your build will fail. Alternatively, you can provide an object with keys being the environment variable name and the value being a fallback value if the key is missing. This method passes directly to
webpack.EnvironmentPlugin, so all the features listed for that plugin apply.
We deeply regret this security vulnerability and any additional work it has caused you. Please upgrade ColdBox Elixir and rotate your secrets straightaway.