How to prevent injection of FLY_ env variables into the container

I am building an environment that allows to execute arbitrary user code. It seems like env contains potentially sensitive information. What’s the best way to not include that when starting the container?

I am using the API.

Not sure if there’s an official way to do it, but create a startup script that unsets FLY_ variables.

Keep in mind that if the untrusted code is running as root, it can get access to the environment variables in other processes even if they are unset in the main application.

The FLY_* variables aren’t that sensitive and you might want to assume that untrusted code can discover the information in other ways and design accordingly. Which variables are you most concerned about?

1 Like

One of the variables is a FLY token. That’s what I was concerned the most.

@Tim_Newsham any comment here?

I only see fly tokens in an environment variable on machines that I’ve intentionally added a fly token to.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.