# Environment Variable Secret Exposure

- ID: javascript-env-vars-secret-exposure
- Severity: HIGH
- CWE: Information Exposure (CWE-200)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs

## Description

Detects when environment variables (which may contain secrets like API keys,
passwords, tokens) are leaked through logging, HTTP responses, or external requests.

Environment variables commonly store sensitive data:
- API keys (AWS_ACCESS_KEY_ID, STRIPE_SECRET_KEY)
- Database passwords (DB_PASSWORD, DATABASE_URL)
- JWT secrets (JWT_SECRET)
- OAuth tokens (GITHUB_TOKEN, SLACK_TOKEN)

Leaking these values exposes credentials and allows unauthorized access.

This rule uses taint flow analysis to detect when process.env flows to:
- Logging functions (console.log, winston, etc.)
- HTTP responses (res.send, res.json)
- External HTTP requests
- Client-side code (sent to browser)

## Detection Message

Environment variable from {source} is exposed through {sink}.
This may leak sensitive credentials (API keys, passwords, tokens).

## Remediation

Use secrets internally without exposing them in logs or responses:

```javascript
const apiKey = process.env.API_KEY;
console.log('API key configured:', !!apiKey);

const jwtSecret = process.env.JWT_SECRET;
const token = jwt.sign({ userId: user.id }, jwtSecret);
res.json({ token });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-200/env-vars-secret-exposure

## Documentation

[object Object]

## Related Rules

- **Environment Variable Secret Exposure** [HIGH]: 
- **LLM Model Theft** [HIGH]: 
- **LLM Sensitive Information Disclosure** [HIGH]: 
- **Sensitive Field Exposure in API Response** [CRITICAL]: 
- **LLM Model Theft** [HIGH]: