feat: Increase security by virtualizing `$env/static/*` #5825

tcc-sejohnson · 2022-08-05T03:41:41Z

Previously, the contents of $env/static/* were written to the disk in .svelte-kit/runtime/env/static/*.js. We'd like to prevent dumping the environment to the disk, so this is a test implementation of using virtual modules.

A couple of questions for those wiser than I:

How do we make this work with build? It seems to work in dev, but throws a big red error when running build.
Are there any cases where this might come back to bite us?

Big thanks to @dominikg for the first "test" implementation of this.

HEADS UP!

We're about to embark on a significant redesign that will touch many parts of the codebase. Until that work is finished, PRs are very likely to result in merge conflicts, and will likely be ignored until the redesign work is complete (by which time they will likely be stale). Please consider delaying your PR until then.

Thank you for understanding!

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
This message body should clearly illustrate what problems it solves.
Ideally, include a test that fails without this PR but passes with it.

Tests

Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

changeset-bot · 2022-08-05T03:41:44Z

🦋 Changeset detected

Latest commit: d6957ec

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

tcc-sejohnson · 2022-08-05T05:14:48Z

Extracted the env module replacement out into its own Vite plugin, adding it to the array returned by sveltekit. Tadaa!

packages/kit/src/vite/index.js

Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>

packages/kit/src/vite/index.js

Co-authored-by: Patrick <Patrick@ShowYou.us>

…m write_ambient

feat: Works with dev, not build

c751531

fix: Did a dumb

5b37e6a

vercel bot deployed to Preview – kit August 5, 2022 03:44 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 5, 2022 03:45 View deployment

feat: Changeset

6bd374d

vercel bot deployed to Preview – kit August 5, 2022 03:46 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 5, 2022 03:47 View deployment

This comment was marked as outdated.

Sign in to view

feat: It works!

2971593

vercel bot deployed to Preview – kit August 5, 2022 05:14 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 5, 2022 05:15 View deployment

tcc-sejohnson marked this pull request as ready for review August 5, 2022 14:20

benmccann reviewed Aug 5, 2022

View reviewed changes

packages/kit/src/vite/index.js Outdated Show resolved Hide resolved

benmccann reviewed Aug 5, 2022

View reviewed changes

packages/kit/src/vite/index.js Outdated Show resolved Hide resolved

tcc-sejohnson and others added 2 commits August 5, 2022 09:23

Update packages/kit/src/vite/index.js

bf46961

Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>

Update packages/kit/src/vite/index.js

8bc3fa1

Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>

vercel bot deployed to Preview – kit August 5, 2022 15:24 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 5, 2022 15:26 View deployment

tcc-sejohnson linked an issue Aug 5, 2022 that may be closed by this pull request

No way to silence warning "Omitting environment variable" #5801

Closed

PatrickG reviewed Aug 6, 2022

View reviewed changes

packages/kit/src/vite/index.js Outdated Show resolved Hide resolved

Update packages/kit/src/vite/index.js

dfcd44a

Co-authored-by: Patrick <Patrick@ShowYou.us>

vercel bot deployed to Preview – kit August 6, 2022 17:16 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 6, 2022 17:17 View deployment

fix: Don't resolve environment twice

a553813

vercel bot deployed to Preview – kit August 7, 2022 03:05 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 7, 2022 03:05 View deployment

fix: As usual, the problem is me not knowing what the heck is going on

ee0f975

vercel bot deployed to Preview – kit August 7, 2022 06:36 View deployment

bluwy mentioned this pull request Aug 15, 2022

Running scripts that have access to Kit stores (like $env) #5886

Closed

merge

3528aff

vercel bot deployed to Preview – kit August 16, 2022 17:48 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 16, 2022 17:49 View deployment

simplify

c80b102

vercel bot deployed to Preview – kit August 16, 2022 17:50 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 16, 2022 17:51 View deployment

merge virtual module handling into main plugin to avoid double loading

0441189

vercel bot deployed to Preview – kit August 16, 2022 18:04 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 16, 2022 18:05 View deployment

move env into shared module, instead of the vite plugin importing fro…

5ef4d7c

…m write_ambient

vercel bot had a problem deploying to Preview – kit-svelte-dev August 16, 2022 18:13 Failure

vercel bot had a problem deploying to Preview – kit August 16, 2022 18:14 Failure

fix, hopefully

94dc0da

vercel bot deployed to Preview – kit August 16, 2022 18:16 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 16, 2022 18:17 View deployment

oops

b6c1766

vercel bot deployed to Preview – kit August 16, 2022 18:25 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 16, 2022 18:26 View deployment

see if this makes windows happy

4e537db

vercel bot deployed to Preview – kit August 16, 2022 18:46 View deployment

vercel bot deployed to Preview – kit-svelte-dev August 16, 2022 18:47 View deployment

Rich-Harris approved these changes Aug 16, 2022

View reviewed changes

formatting

d6957ec

Rich-Harris approved these changes Aug 16, 2022

View reviewed changes

Rich-Harris merged commit 6f355ea into master Aug 16, 2022

Rich-Harris deleted the sejohnson-virtualize-static-env branch August 16, 2022 20:45

vercel bot deployed to Preview – kit August 16, 2022 20:45 View deployment

github-actions bot mentioned this pull request Aug 16, 2022

Version Packages (next) #5948

Merged

vercel bot deployed to Preview – kit-svelte-dev August 16, 2022 20:46 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Increase security by virtualizing `$env/static/*` #5825

feat: Increase security by virtualizing `$env/static/*` #5825

tcc-sejohnson commented Aug 5, 2022

changeset-bot bot commented Aug 5, 2022 •

edited

This comment was marked as outdated.

tcc-sejohnson commented Aug 5, 2022

feat: Increase security by virtualizing $env/static/* #5825

feat: Increase security by virtualizing $env/static/* #5825

Conversation

tcc-sejohnson commented Aug 5, 2022

HEADS UP!

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

Tests

Changesets

changeset-bot bot commented Aug 5, 2022 • edited

🦋 Changeset detected

This comment was marked as outdated.

tcc-sejohnson commented Aug 5, 2022

feat: Increase security by virtualizing `$env/static/*` #5825

feat: Increase security by virtualizing `$env/static/*` #5825

changeset-bot bot commented Aug 5, 2022 •

edited