@expo/env 2.3.1-canary-20260624-9d83b81 → 2.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/constants.js +262 -250
- package/build/constants.js.map +1 -1
- package/build/index.js +399 -357
- package/build/index.js.map +1 -1
- package/build/parse.js +46 -59
- package/build/parse.js.map +1 -1
- package/package.json +7 -9
package/build/constants.js
CHANGED
|
@@ -1,262 +1,274 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
|
|
2
3
|
Object.defineProperty(exports, "__esModule", {
|
|
3
|
-
|
|
4
|
-
});
|
|
5
|
-
0 && (module.exports = {
|
|
6
|
-
isIgnoredEnvKey: null,
|
|
7
|
-
isLocalEnvKey: null,
|
|
8
|
-
isUnsafeAllowedEnvKey: null
|
|
9
|
-
});
|
|
10
|
-
function _export(target, all) {
|
|
11
|
-
for(var name in all)Object.defineProperty(target, name, {
|
|
12
|
-
enumerable: true,
|
|
13
|
-
get: Object.getOwnPropertyDescriptor(all, name).get
|
|
14
|
-
});
|
|
15
|
-
}
|
|
16
|
-
_export(exports, {
|
|
17
|
-
get isIgnoredEnvKey () {
|
|
18
|
-
return isIgnoredEnvKey;
|
|
19
|
-
},
|
|
20
|
-
get isLocalEnvKey () {
|
|
21
|
-
return isLocalEnvKey;
|
|
22
|
-
},
|
|
23
|
-
get isUnsafeAllowedEnvKey () {
|
|
24
|
-
return isUnsafeAllowedEnvKey;
|
|
25
|
-
}
|
|
4
|
+
value: true
|
|
26
5
|
});
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
6
|
+
exports.isIgnoredEnvKey = isIgnoredEnvKey;
|
|
7
|
+
exports.isLocalEnvKey = isLocalEnvKey;
|
|
8
|
+
exports.isUnsafeAllowedEnvKey = isUnsafeAllowedEnvKey;
|
|
9
|
+
function _nodeOs() {
|
|
10
|
+
const data = _interopRequireDefault(require("node:os"));
|
|
11
|
+
_nodeOs = function () {
|
|
32
12
|
return data;
|
|
13
|
+
};
|
|
14
|
+
return data;
|
|
33
15
|
}
|
|
34
|
-
function
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
};
|
|
38
|
-
}
|
|
39
|
-
const platform = _nodeos().default.platform();
|
|
16
|
+
function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
|
|
17
|
+
const platform = _nodeOs().default.platform();
|
|
18
|
+
|
|
40
19
|
// WARN(@kitten): We don't read this dynamically to ignore later modifications to this env var
|
|
41
|
-
const safeKeys = new Set(process.env.EXPO_UNSAFE_DOTENV_KEYS?.split(',').filter(
|
|
20
|
+
const safeKeys = new Set(process.env.EXPO_UNSAFE_DOTENV_KEYS?.split(',').filter(x => !!x));
|
|
42
21
|
function isUnsafeAllowedEnvKey(name) {
|
|
43
|
-
|
|
22
|
+
return safeKeys.has(name);
|
|
44
23
|
}
|
|
45
24
|
function isIgnoredEnvKey(name) {
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
25
|
+
if (platform === 'darwin' && name.startsWith('DYLD_')) {
|
|
26
|
+
return true;
|
|
27
|
+
} else if (platform === 'linux' && name.startsWith('LD_')) {
|
|
28
|
+
return true;
|
|
29
|
+
} else if (safeKeys.has(name)) {
|
|
30
|
+
return false;
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
// NOTE(@kitten): Per-developer tool roots (ANDROID_HOME, JDK_HOME, DEVELOPER_DIR,
|
|
34
|
+
// npm/pnpm/yarn/bun paths, etc) are not blocked here — see `isLocalEnvKey`, which
|
|
35
|
+
// restricts them to `.local` env files (gitignored by convention) so committed
|
|
36
|
+
// `.env*` files cannot redirect them.
|
|
37
|
+
switch (name) {
|
|
38
|
+
// NOTE: Expo internal env vars
|
|
39
|
+
case '__EXPO_ENV_LOADED':
|
|
40
|
+
case 'EXPO_NO_DOTENV':
|
|
41
|
+
case 'EXPO_UNSAFE_DOTENV_KEYS':
|
|
42
|
+
return true;
|
|
43
|
+
|
|
44
|
+
// Linux dynamic-loader, can cause inconsistent calls
|
|
45
|
+
case 'LD_PRELOAD':
|
|
46
|
+
case 'LD_LIBRARY_PATH':
|
|
47
|
+
case 'LD_AUDIT':
|
|
48
|
+
return true;
|
|
49
|
+
|
|
50
|
+
// macOS dynamic-loader, can cause inconsistent calls
|
|
51
|
+
case 'DYLD_INSERT_LIBRARIES':
|
|
52
|
+
case 'DYLD_LIBRARY_PATH':
|
|
53
|
+
case 'DYLD_FRAMEWORK_PATH':
|
|
54
|
+
case 'DYLD_FALLBACK_LIBRARY_PATH':
|
|
55
|
+
case 'DYLD_FALLBACK_FRAMEWORK_PATH':
|
|
56
|
+
return true;
|
|
57
|
+
|
|
58
|
+
// OpenSSL
|
|
59
|
+
case 'SSLKEYLOGFILE':
|
|
60
|
+
return true;
|
|
61
|
+
|
|
62
|
+
// Changes Node behaviour and shouldn't be set in dotenv
|
|
63
|
+
case 'NODE_PATH':
|
|
64
|
+
case 'NODE_OPTIONS':
|
|
65
|
+
case 'NODE_EXTRA_CA_CERTS':
|
|
66
|
+
case 'NODE_TLS_REJECT_UNAUTHORIZED':
|
|
67
|
+
case 'NODE_COMPILE_CACHE':
|
|
68
|
+
case 'NPM_CONFIG_NODE_OPTIONS':
|
|
69
|
+
case 'NODE_REPL_EXTERNAL_MODULE':
|
|
70
|
+
return true;
|
|
71
|
+
|
|
72
|
+
// Changes Bun behaviour and shouldn't be set in dotenv
|
|
73
|
+
case 'BUN_RUNTIME_TRANSPILER_CACHE_PATH':
|
|
74
|
+
return true;
|
|
75
|
+
|
|
76
|
+
// Shell startup hooks
|
|
77
|
+
case 'BASH_ENV':
|
|
78
|
+
case 'ENV':
|
|
79
|
+
case 'ZDOTDIR':
|
|
80
|
+
case 'IFS':
|
|
81
|
+
case 'CDPATH':
|
|
82
|
+
case 'PROMPT_COMMAND':
|
|
83
|
+
case 'SHELLOPTS':
|
|
84
|
+
case 'BASHOPTS':
|
|
85
|
+
return true;
|
|
86
|
+
|
|
87
|
+
// Special git/ssh/gpg args
|
|
88
|
+
case 'GIT_SSH':
|
|
89
|
+
case 'GIT_SSH_COMMAND':
|
|
90
|
+
case 'GPG_TTY':
|
|
91
|
+
case 'SSH_ASKPASS':
|
|
92
|
+
case 'GIT_ASKPASS':
|
|
93
|
+
case 'GIT_EXEC_PATH':
|
|
94
|
+
return true;
|
|
95
|
+
|
|
96
|
+
// Perl libs
|
|
97
|
+
case 'PERL5OPT':
|
|
98
|
+
case 'PERL5LIB':
|
|
99
|
+
case 'PERLLIB':
|
|
100
|
+
return true;
|
|
101
|
+
|
|
102
|
+
// Python modules
|
|
103
|
+
case 'PYTHONSTARTUP':
|
|
104
|
+
case 'PYTHONPATH':
|
|
105
|
+
case 'PYTHONHOME':
|
|
106
|
+
case 'PYTHONINSPECT':
|
|
107
|
+
case 'PYTHONUSERBASE':
|
|
108
|
+
case 'PYTHONEXECUTABLE':
|
|
109
|
+
case 'PYTHONSAFEPATH':
|
|
110
|
+
case 'PYTJONNOUSERSITE':
|
|
111
|
+
return true;
|
|
112
|
+
|
|
113
|
+
// Ruby libs
|
|
114
|
+
case 'RUBYOPT':
|
|
115
|
+
case 'RUBYLIB':
|
|
116
|
+
case 'BUNDLE_GEMFILE':
|
|
117
|
+
case 'RUBYSHELL':
|
|
118
|
+
case 'RUBYPATH':
|
|
119
|
+
case 'GEM_HOME':
|
|
120
|
+
case 'GEM_PATH':
|
|
121
|
+
case 'BUNDLE_PATH':
|
|
122
|
+
return true;
|
|
123
|
+
|
|
124
|
+
// Java vars
|
|
125
|
+
case '_JAVA_OPTIONS':
|
|
126
|
+
case 'JAVA_TOOL_OPTIONS':
|
|
127
|
+
case 'JDK_JAVA_OPTIONS':
|
|
128
|
+
case 'CLASSPATH':
|
|
129
|
+
return true;
|
|
130
|
+
|
|
131
|
+
// User env vars
|
|
132
|
+
case 'HOME':
|
|
133
|
+
case 'USERPROFILE':
|
|
134
|
+
case 'HOMEDRIVE':
|
|
135
|
+
case 'HOMEPATH':
|
|
136
|
+
case 'TMPDIR':
|
|
137
|
+
case 'TMP':
|
|
138
|
+
case 'TEMP':
|
|
139
|
+
case 'USER':
|
|
140
|
+
case 'SHELL':
|
|
141
|
+
case 'PATH':
|
|
142
|
+
case 'PATHEXT':
|
|
143
|
+
case 'LANG':
|
|
144
|
+
case 'PWD':
|
|
145
|
+
case 'OLDPWD':
|
|
146
|
+
case 'TERMINFO':
|
|
147
|
+
return true;
|
|
148
|
+
|
|
149
|
+
// Windows-owned
|
|
150
|
+
case 'SYSTEMROOT':
|
|
151
|
+
case 'SystemRoot':
|
|
152
|
+
return true;
|
|
153
|
+
|
|
154
|
+
// User tools
|
|
155
|
+
case 'EDITOR':
|
|
156
|
+
case 'VISUAL':
|
|
157
|
+
case 'PAGER':
|
|
158
|
+
case 'MANPAGER':
|
|
159
|
+
return true;
|
|
160
|
+
|
|
161
|
+
// XDG dirs
|
|
162
|
+
case 'XDG_RUNTIME_DIR':
|
|
163
|
+
case 'XDG_STATE_HOME':
|
|
164
|
+
case 'XDG_DATA_HOME':
|
|
165
|
+
case 'XDG_CONFIG_DIRS':
|
|
166
|
+
case 'XDG_CACHE_HOME':
|
|
167
|
+
case 'XDG_CONFIG_HOME':
|
|
168
|
+
case 'XDG_BIN_HOME':
|
|
169
|
+
return true;
|
|
170
|
+
|
|
171
|
+
// direnv
|
|
172
|
+
case 'DIRENV_DIR':
|
|
173
|
+
case 'DIRENV_FILE':
|
|
174
|
+
case 'DIRENV_WATCHES':
|
|
175
|
+
case 'DIRENV_DIFF':
|
|
176
|
+
return true;
|
|
177
|
+
|
|
178
|
+
// Package-manager registry/install roots. No legitimate per-project `.env`
|
|
179
|
+
// use case — the established mechanism for each is a dedicated config file
|
|
180
|
+
// (`.npmrc`, `.yarnrc.yml`, `.bunfig.toml`) — and a malicious value is a
|
|
181
|
+
// supply-chain RCE the moment the CLI shells out to npm/yarn/pnpm/bun.
|
|
182
|
+
case 'NPM_CONFIG_REGISTRY':
|
|
183
|
+
case 'NPM_CONFIG_PREFIX':
|
|
184
|
+
case 'NPM_CONFIG_USERCONFIG':
|
|
185
|
+
case 'NPM_CONFIG_GLOBALCONFIG':
|
|
186
|
+
case 'NPM_CONFIG_CACHE':
|
|
187
|
+
case 'YARN_REGISTRY':
|
|
188
|
+
case 'YARN_CACHE_FOLDER':
|
|
189
|
+
case 'YARN_GLOBAL_FOLDER':
|
|
190
|
+
case 'PNPM_HOME':
|
|
191
|
+
case 'BUN_INSTALL':
|
|
192
|
+
case 'BUN_INSTALL_BIN':
|
|
193
|
+
case 'COCOAPODS_HOME':
|
|
194
|
+
case 'CMAKE_HOME':
|
|
195
|
+
return true;
|
|
196
|
+
default:
|
|
197
|
+
return false;
|
|
198
|
+
}
|
|
202
199
|
}
|
|
200
|
+
|
|
201
|
+
/**
|
|
202
|
+
* Whether a dotenv key represents per-developer/per-machine configuration that
|
|
203
|
+
* should only be loaded from `.local` env files (e.g. `.env.local`,
|
|
204
|
+
* `.env.development.local`). Committed `.env*` files cannot set these — that
|
|
205
|
+
* prevents a malicious project from redirecting developer-tool roots (e.g.
|
|
206
|
+
* `ANDROID_HOME`) via a supply-chain attack, while still letting developers
|
|
207
|
+
* pin them in their gitignored `.local` overrides.
|
|
208
|
+
*
|
|
209
|
+
* Honors `EXPO_UNSAFE_DOTENV_KEYS`: opt-in keys are allowed in any env file.
|
|
210
|
+
*/
|
|
203
211
|
function isLocalEnvKey(name) {
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
case 'FASTLANE_USER':
|
|
229
|
-
case 'FASTLANE_PASSWORD':
|
|
230
|
-
case 'FASTLANE_SESSION':
|
|
231
|
-
case 'FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD':
|
|
232
|
-
return true;
|
|
233
|
-
// Android NDK (per-project NDK version pinning is common)
|
|
234
|
-
case 'NDK_HOME':
|
|
235
|
-
case 'NDK_ROOT':
|
|
236
|
-
return true;
|
|
237
|
-
// Per-developer preferences and per-machine setup
|
|
238
|
-
case 'BROWSER':
|
|
239
|
-
case 'BROWSER_ARGS':
|
|
240
|
-
case 'HTTP_PROXY':
|
|
241
|
-
case 'http_proxy':
|
|
242
|
-
case 'HTTPS_PROXY':
|
|
243
|
-
case 'https_proxy':
|
|
244
|
-
case 'ALL_PROXY':
|
|
245
|
-
case 'all_proxy':
|
|
246
|
-
case 'NO_PROXY':
|
|
247
|
-
case 'no_proxy':
|
|
248
|
-
case 'FTP_PROXY':
|
|
249
|
-
case 'ftp_proxy':
|
|
250
|
-
case 'SSL_CRT_FILE':
|
|
251
|
-
case 'SSL_KEY_FILE':
|
|
252
|
-
case 'REACT_NATIVE_PACKAGER_HOSTNAME':
|
|
253
|
-
return true;
|
|
254
|
-
// NOTE(@kitten): Used to override where hermesc is found, not safe to read from .env
|
|
255
|
-
case 'REACT_NATIVE_OVERRIDE_HERMES_DIR':
|
|
256
|
-
return true;
|
|
257
|
-
default:
|
|
258
|
-
return false;
|
|
259
|
-
}
|
|
260
|
-
}
|
|
212
|
+
if (safeKeys.has(name)) return false;
|
|
213
|
+
switch (name) {
|
|
214
|
+
// Android tooling
|
|
215
|
+
case 'ANDROID_HOME':
|
|
216
|
+
case 'ANDROID_SDK_ROOT':
|
|
217
|
+
case 'ANDROID_NDK_HOME':
|
|
218
|
+
case 'ANDROID_NDK_ROOT':
|
|
219
|
+
case 'ANDROID_AVD_HOME':
|
|
220
|
+
case 'ANDROID_EMULATOR_HOME':
|
|
221
|
+
case 'GRADLE_HOME':
|
|
222
|
+
case 'GRADLE_USER_HOME':
|
|
223
|
+
case 'KOTLIN_HOME':
|
|
224
|
+
return true;
|
|
225
|
+
|
|
226
|
+
// JVM tooling
|
|
227
|
+
case 'JAVA_HOME':
|
|
228
|
+
case 'JDK_HOME':
|
|
229
|
+
case 'JRE_HOME':
|
|
230
|
+
return true;
|
|
231
|
+
|
|
232
|
+
// Apple tooling
|
|
233
|
+
case 'DEVELOPER_DIR':
|
|
234
|
+
case 'XCODE_DEVELOPER_DIR_PATH':
|
|
235
|
+
return true;
|
|
261
236
|
|
|
262
|
-
|
|
237
|
+
// CocoaPods / Fastlane (secrets and non-exec config)
|
|
238
|
+
case 'COCOAPODS_DISABLE_STATS':
|
|
239
|
+
case 'FASTLANE_USER':
|
|
240
|
+
case 'FASTLANE_PASSWORD':
|
|
241
|
+
case 'FASTLANE_SESSION':
|
|
242
|
+
case 'FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD':
|
|
243
|
+
return true;
|
|
244
|
+
|
|
245
|
+
// Android NDK (per-project NDK version pinning is common)
|
|
246
|
+
case 'NDK_HOME':
|
|
247
|
+
case 'NDK_ROOT':
|
|
248
|
+
return true;
|
|
249
|
+
|
|
250
|
+
// Per-developer preferences and per-machine setup
|
|
251
|
+
case 'BROWSER':
|
|
252
|
+
case 'BROWSER_ARGS':
|
|
253
|
+
case 'HTTP_PROXY':
|
|
254
|
+
case 'http_proxy':
|
|
255
|
+
case 'HTTPS_PROXY':
|
|
256
|
+
case 'https_proxy':
|
|
257
|
+
case 'ALL_PROXY':
|
|
258
|
+
case 'all_proxy':
|
|
259
|
+
case 'NO_PROXY':
|
|
260
|
+
case 'no_proxy':
|
|
261
|
+
case 'FTP_PROXY':
|
|
262
|
+
case 'ftp_proxy':
|
|
263
|
+
case 'SSL_CRT_FILE':
|
|
264
|
+
case 'SSL_KEY_FILE':
|
|
265
|
+
case 'REACT_NATIVE_PACKAGER_HOSTNAME':
|
|
266
|
+
return true;
|
|
267
|
+
// NOTE(@kitten): Used to override where hermesc is found, not safe to read from .env
|
|
268
|
+
case 'REACT_NATIVE_OVERRIDE_HERMES_DIR':
|
|
269
|
+
return true;
|
|
270
|
+
default:
|
|
271
|
+
return false;
|
|
272
|
+
}
|
|
273
|
+
}
|
|
274
|
+
//# sourceMappingURL=constants.js.map
|
package/build/constants.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["constants.ts"],"sourcesContent":[null],"names":["isIgnoredEnvKey","isLocalEnvKey","isUnsafeAllowedEnvKey","platform","os","safeKeys","Set","process","env","EXPO_UNSAFE_DOTENV_KEYS","split","filter","x","name","has","startsWith"],"mappings":";;;;;;;;;;;;;;;;QAWgBA;eAAAA;;QA4LAC;eAAAA;;QAhMAC;eAAAA;;;;gEAPD;;;;;;;;;;;AAEf,MAAMC,WAAWC,iBAAE,CAACD,QAAQ;AAE5B,8FAA8F;AAC9F,MAAME,WAAW,IAAIC,IAAIC,QAAQC,GAAG,CAACC,uBAAuB,EAAEC,MAAM,KAAKC,OAAO,CAACC,IAAM,CAAC,CAACA;AAElF,SAASV,sBAAsBW,IAAY;IAChD,OAAOR,SAASS,GAAG,CAACD;AACtB;AAEO,SAASb,gBAAgBa,IAAY;IAC1C,IAAIV,aAAa,YAAYU,KAAKE,UAAU,CAAC,UAAU;QACrD,OAAO;IACT,OAAO,IAAIZ,aAAa,WAAWU,KAAKE,UAAU,CAAC,QAAQ;QACzD,OAAO;IACT,OAAO,IAAIV,SAASS,GAAG,CAACD,OAAO;QAC7B,OAAO;IACT;IAEA,kFAAkF;IAClF,kFAAkF;IAClF,+EAA+E;IAC/E,sCAAsC;IACtC,OAAQA;QACN,+BAA+B;QAC/B,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,qDAAqD;QACrD,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,qDAAqD;QACrD,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,UAAU;QACV,KAAK;YACH,OAAO;QAET,wDAAwD;QACxD,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,uDAAuD;QACvD,KAAK;YACH,OAAO;QAET,sBAAsB;QACtB,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,2BAA2B;QAC3B,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,YAAY;QACZ,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,iBAAiB;QACjB,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,YAAY;QACZ,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,YAAY;QACZ,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,gBAAgB;QAChB,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,gBAAgB;QAChB,KAAK;QACL,KAAK;YACH,OAAO;QAET,aAAa;QACb,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,WAAW;QACX,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,SAAS;QACT,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,2EAA2E;QAC3E,2EAA2E;QAC3E,yEAAyE;QACzE,uEAAuE;QACvE,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET;YACE,OAAO;IACX;AACF;AAYO,SAASZ,cAAcY,IAAY;IACxC,IAAIR,SAASS,GAAG,CAACD,OAAO,OAAO;IAC/B,OAAQA;QACN,kBAAkB;QAClB,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,cAAc;QACd,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,gBAAgB;QAChB,KAAK;QACL,KAAK;YACH,OAAO;QAET,qDAAqD;QACrD,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QAET,0DAA0D;QAC1D,KAAK;QACL,KAAK;YACH,OAAO;QAET,kDAAkD;QAClD,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;YACH,OAAO;QACT,qFAAqF;QACrF,KAAK;YACH,OAAO;QAET;YACE,OAAO;IACX;AACF"}
|
|
1
|
+
{"version":3,"file":"constants.js","names":["_nodeOs","data","_interopRequireDefault","require","e","__esModule","default","platform","os","safeKeys","Set","process","env","EXPO_UNSAFE_DOTENV_KEYS","split","filter","x","isUnsafeAllowedEnvKey","name","has","isIgnoredEnvKey","startsWith","isLocalEnvKey"],"sources":["../src/constants.ts"],"sourcesContent":["import os from 'node:os';\n\nconst platform = os.platform();\n\n// WARN(@kitten): We don't read this dynamically to ignore later modifications to this env var\nconst safeKeys = new Set(process.env.EXPO_UNSAFE_DOTENV_KEYS?.split(',').filter((x) => !!x));\n\nexport function isUnsafeAllowedEnvKey(name: string): boolean {\n return safeKeys.has(name);\n}\n\nexport function isIgnoredEnvKey(name: string) {\n if (platform === 'darwin' && name.startsWith('DYLD_')) {\n return true;\n } else if (platform === 'linux' && name.startsWith('LD_')) {\n return true;\n } else if (safeKeys.has(name)) {\n return false;\n }\n\n // NOTE(@kitten): Per-developer tool roots (ANDROID_HOME, JDK_HOME, DEVELOPER_DIR,\n // npm/pnpm/yarn/bun paths, etc) are not blocked here — see `isLocalEnvKey`, which\n // restricts them to `.local` env files (gitignored by convention) so committed\n // `.env*` files cannot redirect them.\n switch (name) {\n // NOTE: Expo internal env vars\n case '__EXPO_ENV_LOADED':\n case 'EXPO_NO_DOTENV':\n case 'EXPO_UNSAFE_DOTENV_KEYS':\n return true;\n\n // Linux dynamic-loader, can cause inconsistent calls\n case 'LD_PRELOAD':\n case 'LD_LIBRARY_PATH':\n case 'LD_AUDIT':\n return true;\n\n // macOS dynamic-loader, can cause inconsistent calls\n case 'DYLD_INSERT_LIBRARIES':\n case 'DYLD_LIBRARY_PATH':\n case 'DYLD_FRAMEWORK_PATH':\n case 'DYLD_FALLBACK_LIBRARY_PATH':\n case 'DYLD_FALLBACK_FRAMEWORK_PATH':\n return true;\n\n // OpenSSL\n case 'SSLKEYLOGFILE':\n return true;\n\n // Changes Node behaviour and shouldn't be set in dotenv\n case 'NODE_PATH':\n case 'NODE_OPTIONS':\n case 'NODE_EXTRA_CA_CERTS':\n case 'NODE_TLS_REJECT_UNAUTHORIZED':\n case 'NODE_COMPILE_CACHE':\n case 'NPM_CONFIG_NODE_OPTIONS':\n case 'NODE_REPL_EXTERNAL_MODULE':\n return true;\n\n // Changes Bun behaviour and shouldn't be set in dotenv\n case 'BUN_RUNTIME_TRANSPILER_CACHE_PATH':\n return true;\n\n // Shell startup hooks\n case 'BASH_ENV':\n case 'ENV':\n case 'ZDOTDIR':\n case 'IFS':\n case 'CDPATH':\n case 'PROMPT_COMMAND':\n case 'SHELLOPTS':\n case 'BASHOPTS':\n return true;\n\n // Special git/ssh/gpg args\n case 'GIT_SSH':\n case 'GIT_SSH_COMMAND':\n case 'GPG_TTY':\n case 'SSH_ASKPASS':\n case 'GIT_ASKPASS':\n case 'GIT_EXEC_PATH':\n return true;\n\n // Perl libs\n case 'PERL5OPT':\n case 'PERL5LIB':\n case 'PERLLIB':\n return true;\n\n // Python modules\n case 'PYTHONSTARTUP':\n case 'PYTHONPATH':\n case 'PYTHONHOME':\n case 'PYTHONINSPECT':\n case 'PYTHONUSERBASE':\n case 'PYTHONEXECUTABLE':\n case 'PYTHONSAFEPATH':\n case 'PYTJONNOUSERSITE':\n return true;\n\n // Ruby libs\n case 'RUBYOPT':\n case 'RUBYLIB':\n case 'BUNDLE_GEMFILE':\n case 'RUBYSHELL':\n case 'RUBYPATH':\n case 'GEM_HOME':\n case 'GEM_PATH':\n case 'BUNDLE_PATH':\n return true;\n\n // Java vars\n case '_JAVA_OPTIONS':\n case 'JAVA_TOOL_OPTIONS':\n case 'JDK_JAVA_OPTIONS':\n case 'CLASSPATH':\n return true;\n\n // User env vars\n case 'HOME':\n case 'USERPROFILE':\n case 'HOMEDRIVE':\n case 'HOMEPATH':\n case 'TMPDIR':\n case 'TMP':\n case 'TEMP':\n case 'USER':\n case 'SHELL':\n case 'PATH':\n case 'PATHEXT':\n case 'LANG':\n case 'PWD':\n case 'OLDPWD':\n case 'TERMINFO':\n return true;\n\n // Windows-owned\n case 'SYSTEMROOT':\n case 'SystemRoot':\n return true;\n\n // User tools\n case 'EDITOR':\n case 'VISUAL':\n case 'PAGER':\n case 'MANPAGER':\n return true;\n\n // XDG dirs\n case 'XDG_RUNTIME_DIR':\n case 'XDG_STATE_HOME':\n case 'XDG_DATA_HOME':\n case 'XDG_CONFIG_DIRS':\n case 'XDG_CACHE_HOME':\n case 'XDG_CONFIG_HOME':\n case 'XDG_BIN_HOME':\n return true;\n\n // direnv\n case 'DIRENV_DIR':\n case 'DIRENV_FILE':\n case 'DIRENV_WATCHES':\n case 'DIRENV_DIFF':\n return true;\n\n // Package-manager registry/install roots. No legitimate per-project `.env`\n // use case — the established mechanism for each is a dedicated config file\n // (`.npmrc`, `.yarnrc.yml`, `.bunfig.toml`) — and a malicious value is a\n // supply-chain RCE the moment the CLI shells out to npm/yarn/pnpm/bun.\n case 'NPM_CONFIG_REGISTRY':\n case 'NPM_CONFIG_PREFIX':\n case 'NPM_CONFIG_USERCONFIG':\n case 'NPM_CONFIG_GLOBALCONFIG':\n case 'NPM_CONFIG_CACHE':\n case 'YARN_REGISTRY':\n case 'YARN_CACHE_FOLDER':\n case 'YARN_GLOBAL_FOLDER':\n case 'PNPM_HOME':\n case 'BUN_INSTALL':\n case 'BUN_INSTALL_BIN':\n case 'COCOAPODS_HOME':\n case 'CMAKE_HOME':\n return true;\n\n default:\n return false;\n }\n}\n\n/**\n * Whether a dotenv key represents per-developer/per-machine configuration that\n * should only be loaded from `.local` env files (e.g. `.env.local`,\n * `.env.development.local`). Committed `.env*` files cannot set these — that\n * prevents a malicious project from redirecting developer-tool roots (e.g.\n * `ANDROID_HOME`) via a supply-chain attack, while still letting developers\n * pin them in their gitignored `.local` overrides.\n *\n * Honors `EXPO_UNSAFE_DOTENV_KEYS`: opt-in keys are allowed in any env file.\n */\nexport function isLocalEnvKey(name: string): boolean {\n if (safeKeys.has(name)) return false;\n switch (name) {\n // Android tooling\n case 'ANDROID_HOME':\n case 'ANDROID_SDK_ROOT':\n case 'ANDROID_NDK_HOME':\n case 'ANDROID_NDK_ROOT':\n case 'ANDROID_AVD_HOME':\n case 'ANDROID_EMULATOR_HOME':\n case 'GRADLE_HOME':\n case 'GRADLE_USER_HOME':\n case 'KOTLIN_HOME':\n return true;\n\n // JVM tooling\n case 'JAVA_HOME':\n case 'JDK_HOME':\n case 'JRE_HOME':\n return true;\n\n // Apple tooling\n case 'DEVELOPER_DIR':\n case 'XCODE_DEVELOPER_DIR_PATH':\n return true;\n\n // CocoaPods / Fastlane (secrets and non-exec config)\n case 'COCOAPODS_DISABLE_STATS':\n case 'FASTLANE_USER':\n case 'FASTLANE_PASSWORD':\n case 'FASTLANE_SESSION':\n case 'FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD':\n return true;\n\n // Android NDK (per-project NDK version pinning is common)\n case 'NDK_HOME':\n case 'NDK_ROOT':\n return true;\n\n // Per-developer preferences and per-machine setup\n case 'BROWSER':\n case 'BROWSER_ARGS':\n case 'HTTP_PROXY':\n case 'http_proxy':\n case 'HTTPS_PROXY':\n case 'https_proxy':\n case 'ALL_PROXY':\n case 'all_proxy':\n case 'NO_PROXY':\n case 'no_proxy':\n case 'FTP_PROXY':\n case 'ftp_proxy':\n case 'SSL_CRT_FILE':\n case 'SSL_KEY_FILE':\n case 'REACT_NATIVE_PACKAGER_HOSTNAME':\n return true;\n // NOTE(@kitten): Used to override where hermesc is found, not safe to read from .env\n case 'REACT_NATIVE_OVERRIDE_HERMES_DIR':\n return true;\n\n default:\n return false;\n }\n}\n"],"mappings":";;;;;;;;AAAA,SAAAA,QAAA;EAAA,MAAAC,IAAA,GAAAC,sBAAA,CAAAC,OAAA;EAAAH,OAAA,YAAAA,CAAA;IAAA,OAAAC,IAAA;EAAA;EAAA,OAAAA,IAAA;AAAA;AAAyB,SAAAC,uBAAAE,CAAA,WAAAA,CAAA,IAAAA,CAAA,CAAAC,UAAA,GAAAD,CAAA,KAAAE,OAAA,EAAAF,CAAA;AAEzB,MAAMG,QAAQ,GAAGC,iBAAE,CAACD,QAAQ,CAAC,CAAC;;AAE9B;AACA,MAAME,QAAQ,GAAG,IAAIC,GAAG,CAACC,OAAO,CAACC,GAAG,CAACC,uBAAuB,EAAEC,KAAK,CAAC,GAAG,CAAC,CAACC,MAAM,CAAEC,CAAC,IAAK,CAAC,CAACA,CAAC,CAAC,CAAC;AAErF,SAASC,qBAAqBA,CAACC,IAAY,EAAW;EAC3D,OAAOT,QAAQ,CAACU,GAAG,CAACD,IAAI,CAAC;AAC3B;AAEO,SAASE,eAAeA,CAACF,IAAY,EAAE;EAC5C,IAAIX,QAAQ,KAAK,QAAQ,IAAIW,IAAI,CAACG,UAAU,CAAC,OAAO,CAAC,EAAE;IACrD,OAAO,IAAI;EACb,CAAC,MAAM,IAAId,QAAQ,KAAK,OAAO,IAAIW,IAAI,CAACG,UAAU,CAAC,KAAK,CAAC,EAAE;IACzD,OAAO,IAAI;EACb,CAAC,MAAM,IAAIZ,QAAQ,CAACU,GAAG,CAACD,IAAI,CAAC,EAAE;IAC7B,OAAO,KAAK;EACd;;EAEA;EACA;EACA;EACA;EACA,QAAQA,IAAI;IACV;IACA,KAAK,mBAAmB;IACxB,KAAK,gBAAgB;IACrB,KAAK,yBAAyB;MAC5B,OAAO,IAAI;;IAEb;IACA,KAAK,YAAY;IACjB,KAAK,iBAAiB;IACtB,KAAK,UAAU;MACb,OAAO,IAAI;;IAEb;IACA,KAAK,uBAAuB;IAC5B,KAAK,mBAAmB;IACxB,KAAK,qBAAqB;IAC1B,KAAK,4BAA4B;IACjC,KAAK,8BAA8B;MACjC,OAAO,IAAI;;IAEb;IACA,KAAK,eAAe;MAClB,OAAO,IAAI;;IAEb;IACA,KAAK,WAAW;IAChB,KAAK,cAAc;IACnB,KAAK,qBAAqB;IAC1B,KAAK,8BAA8B;IACnC,KAAK,oBAAoB;IACzB,KAAK,yBAAyB;IAC9B,KAAK,2BAA2B;MAC9B,OAAO,IAAI;;IAEb;IACA,KAAK,mCAAmC;MACtC,OAAO,IAAI;;IAEb;IACA,KAAK,UAAU;IACf,KAAK,KAAK;IACV,KAAK,SAAS;IACd,KAAK,KAAK;IACV,KAAK,QAAQ;IACb,KAAK,gBAAgB;IACrB,KAAK,WAAW;IAChB,KAAK,UAAU;MACb,OAAO,IAAI;;IAEb;IACA,KAAK,SAAS;IACd,KAAK,iBAAiB;IACtB,KAAK,SAAS;IACd,KAAK,aAAa;IAClB,KAAK,aAAa;IAClB,KAAK,eAAe;MAClB,OAAO,IAAI;;IAEb;IACA,KAAK,UAAU;IACf,KAAK,UAAU;IACf,KAAK,SAAS;MACZ,OAAO,IAAI;;IAEb;IACA,KAAK,eAAe;IACpB,KAAK,YAAY;IACjB,KAAK,YAAY;IACjB,KAAK,eAAe;IACpB,KAAK,gBAAgB;IACrB,KAAK,kBAAkB;IACvB,KAAK,gBAAgB;IACrB,KAAK,kBAAkB;MACrB,OAAO,IAAI;;IAEb;IACA,KAAK,SAAS;IACd,KAAK,SAAS;IACd,KAAK,gBAAgB;IACrB,KAAK,WAAW;IAChB,KAAK,UAAU;IACf,KAAK,UAAU;IACf,KAAK,UAAU;IACf,KAAK,aAAa;MAChB,OAAO,IAAI;;IAEb;IACA,KAAK,eAAe;IACpB,KAAK,mBAAmB;IACxB,KAAK,kBAAkB;IACvB,KAAK,WAAW;MACd,OAAO,IAAI;;IAEb;IACA,KAAK,MAAM;IACX,KAAK,aAAa;IAClB,KAAK,WAAW;IAChB,KAAK,UAAU;IACf,KAAK,QAAQ;IACb,KAAK,KAAK;IACV,KAAK,MAAM;IACX,KAAK,MAAM;IACX,KAAK,OAAO;IACZ,KAAK,MAAM;IACX,KAAK,SAAS;IACd,KAAK,MAAM;IACX,KAAK,KAAK;IACV,KAAK,QAAQ;IACb,KAAK,UAAU;MACb,OAAO,IAAI;;IAEb;IACA,KAAK,YAAY;IACjB,KAAK,YAAY;MACf,OAAO,IAAI;;IAEb;IACA,KAAK,QAAQ;IACb,KAAK,QAAQ;IACb,KAAK,OAAO;IACZ,KAAK,UAAU;MACb,OAAO,IAAI;;IAEb;IACA,KAAK,iBAAiB;IACtB,KAAK,gBAAgB;IACrB,KAAK,eAAe;IACpB,KAAK,iBAAiB;IACtB,KAAK,gBAAgB;IACrB,KAAK,iBAAiB;IACtB,KAAK,cAAc;MACjB,OAAO,IAAI;;IAEb;IACA,KAAK,YAAY;IACjB,KAAK,aAAa;IAClB,KAAK,gBAAgB;IACrB,KAAK,aAAa;MAChB,OAAO,IAAI;;IAEb;IACA;IACA;IACA;IACA,KAAK,qBAAqB;IAC1B,KAAK,mBAAmB;IACxB,KAAK,uBAAuB;IAC5B,KAAK,yBAAyB;IAC9B,KAAK,kBAAkB;IACvB,KAAK,eAAe;IACpB,KAAK,mBAAmB;IACxB,KAAK,oBAAoB;IACzB,KAAK,WAAW;IAChB,KAAK,aAAa;IAClB,KAAK,iBAAiB;IACtB,KAAK,gBAAgB;IACrB,KAAK,YAAY;MACf,OAAO,IAAI;IAEb;MACE,OAAO,KAAK;EAChB;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASI,aAAaA,CAACJ,IAAY,EAAW;EACnD,IAAIT,QAAQ,CAACU,GAAG,CAACD,IAAI,CAAC,EAAE,OAAO,KAAK;EACpC,QAAQA,IAAI;IACV;IACA,KAAK,cAAc;IACnB,KAAK,kBAAkB;IACvB,KAAK,kBAAkB;IACvB,KAAK,kBAAkB;IACvB,KAAK,kBAAkB;IACvB,KAAK,uBAAuB;IAC5B,KAAK,aAAa;IAClB,KAAK,kBAAkB;IACvB,KAAK,aAAa;MAChB,OAAO,IAAI;;IAEb;IACA,KAAK,WAAW;IAChB,KAAK,UAAU;IACf,KAAK,UAAU;MACb,OAAO,IAAI;;IAEb;IACA,KAAK,eAAe;IACpB,KAAK,0BAA0B;MAC7B,OAAO,IAAI;;IAEb;IACA,KAAK,yBAAyB;IAC9B,KAAK,eAAe;IACpB,KAAK,mBAAmB;IACxB,KAAK,kBAAkB;IACvB,KAAK,8CAA8C;MACjD,OAAO,IAAI;;IAEb;IACA,KAAK,UAAU;IACf,KAAK,UAAU;MACb,OAAO,IAAI;;IAEb;IACA,KAAK,SAAS;IACd,KAAK,cAAc;IACnB,KAAK,YAAY;IACjB,KAAK,YAAY;IACjB,KAAK,aAAa;IAClB,KAAK,aAAa;IAClB,KAAK,WAAW;IAChB,KAAK,WAAW;IAChB,KAAK,UAAU;IACf,KAAK,UAAU;IACf,KAAK,WAAW;IAChB,KAAK,WAAW;IAChB,KAAK,cAAc;IACnB,KAAK,cAAc;IACnB,KAAK,gCAAgC;MACnC,OAAO,IAAI;IACb;IACA,KAAK,kCAAkC;MACrC,OAAO,IAAI;IAEb;MACE,OAAO,KAAK;EAChB;AACF","ignoreList":[]}
|