devenv icon indicating copy to clipboard operation
devenv copied to clipboard
verified publisher icon cachix

dotenv integration leaks secrets into the nix store

Open pkel opened this issue 11 months ago • 0 comments

Describe the bug

The .env file may contain secrets. Its contents must remain confidential. source According to nix philosophy the nix store is not confidential. source The devenv/dotenv integration copies the contents of the .env file into the nix store. As a result, the secrets in .env do not remain confidential.

Related:

  • #775

To reproduce

Create .env file with content SECRET=batteryhorsestaples. Set dotenv.enable in devenv.nix, build the shell. Search (and find) batteryhorsestaples in /nix.

Version

devenv 1.3.1 (x86_64-linux)

pkel avatar Jan 28 '25 10:01 pkel