devenv icon indicating copy to clipboard operation
devenv copied to clipboard
verified publisher icon cachix

dotenv integration leaks secrets into the nix store

Open pkel opened this issue 1 year ago • 7 comments

Describe the bug

The .env file may contain secrets. Its contents must remain confidential. source According to nix philosophy the nix store is not confidential. source The devenv/dotenv integration copies the contents of the .env file into the nix store. As a result, the secrets in .env do not remain confidential.

Related:

  • #775

To reproduce

Create .env file with content SECRET=batteryhorsestaples. Set dotenv.enable in devenv.nix, build the shell. Search (and find) batteryhorsestaples in /nix.

Version

devenv 1.3.1 (x86_64-linux)

pkel avatar Jan 28 '25 10:01 pkel

Any updates on this? Currently, I couldn’t use devenv in any development environment with such a security flaw.

itpropro avatar May 01 '25 05:05 itpropro

We have addressed this by releaseing secretspec: https://devenv.sh/blog/2025/07/21/announcing-secretspec-declarative-secrets-management/

domenkozar avatar Jul 24 '25 20:07 domenkozar

Imo you should (and should have) put a warning on https://devenv.sh/integrations/dotenv/.

pkel avatar Jul 25 '25 06:07 pkel

Happy to accept a PR for someone to document this one!

domenkozar avatar Oct 20 '25 18:10 domenkozar

Happy to accept a PR for someone to document this one!

Happy to address your comments over there: #2228

pkel avatar Oct 20 '25 19:10 pkel

Note that a proper fix would be to move the parsing of .env files into Rust code and then populating Nix variables as inputs.

I suggest moving to https://devenv.sh/integrations/secretspec/ as long-term solution.

domenkozar avatar Oct 20 '25 19:10 domenkozar

We've added support for path secrets in secretspec 0.4.0 to further help with this: https://devenv.sh/blog/2025/11/26/devenv-111-module-changelogs-and-secretspec-040/

domenkozar avatar Nov 26 '25 11:11 domenkozar