Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
An alternative way to assert environment variables.
Yarn is recommended for installation.
$ yarn add ctrl-env
But you can still use npm:
$ npm install --save ctrl-env
// Example app.js:
const CtrlEnv = require('ctrl-env')
const ctrlEnv = new CtrlEnv([
['SECRET']
, ['PORT', {required: false}]
], {
prefix: 'TWITTER_FEED'
})
ctrlEnv.assert()
// Some Twitter Feed and Server pseudo code:
http.on('/feed', (request, response) => {
Twitter.getFeed({
handle: '_experiments'
, secret: ctrlEnv.SECRET
}, (error, feed) => {
if (error) {
throw error
}
response.send(feed)
})
})
http.listen(ctrlEnv.PORT)
$ TWITTER_FEED_SECRET='twitter_secret_key' TWITTER_FEED_PORT=8080 node app.js
$ # or
$ TWITTER_FEED_SECRET='twitter_secret_key' node app.js
The constructor takes an array of environment variables to expect. The variables themselves can be configured:
const exampleEnvVars = [
// Variable is required and can be any value:
['REQUIRED_VARIABLE']
// Variable is optional and can be any value:
, ['OPTIONAL_VARIABLE', {required: false}]
// Variable is required and can only be yes or no:
, ['LIMITED_VARIABLE', {values: ['yes', 'no']}]
// Variable is required and can only be an integer:
, ['TYPED_VARIABLE', {type: 'integer'}]
// Variable is optional and can only be yes or no:
, ['OPTIONAL_LIMITED_VARIABLE', {required: false, values: ['yes', 'no']}]
// Variable is required but is not prefixed:
, ['NODE_ENV', {prefixed: false}]
]
const ctrlEnv = new CtrlEnv(exampleEnvVars)
The constructor also takes an optional prefix
and separator
. The separator
only determines what seperates the prefix and the variable name:
// Variables must be labeled TEST_(VARIABLENAME):
new CtrlEnv(..., {prefix: 'TEST'})
// Variables must be labeled TEST___(VARIABLENAME)
new CtrlEnv(..., {prefix: 'TEST', separator: '___'})
This method actually reads the environment variables and asserts that they exist or have the required values. Note: This method is synchronous.
To read the environment variable, simply use the variable name without the
prefix as a property of your CtrlEnv
instance. This property is a proper
ES2015 getter that does not have a setter. It cannot be overwritten without
using Object.defineProperty
.
This returns an object with all asserted environment variables. This property is
a propert ES2015 getter that does not have a setter. It cannot be overwritten
without Object.defineProperty
.
Note: This deprecates #get() from v1.
Copyright (c) 2017 Martin Experiments LLC
FAQs
An alternative way to assert environment variables.
We found that ctrl-env demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.