CVE-2022-46155: Airtable.js Misconfigured Build Script Exposes API Keys

Airtable.js is a popular JavaScript client for Airtable, a cloud-based spreadsheet and database platform. It has recently been discovered that prior to version .11.6, Airtable.js had a misconfigured build script that could potentially expose users' Airtable API keys. This security vulnerability is now assigned the identifier CVE-2022-46155.

Details

The misconfiguration in the build script occurs when it bundles environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in the Airtable.js code. This issue only affects copies of Airtable.js built from its source, not those installed via npm or yarn.

Exploit Details

If a user's environment meets the following conditions, their Airtable API keys set via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code:

The user has the AIRTABLE_API_KEY environment variable set.

If these conditions are met, the user's local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue.

Here is a code snippet that demonstrates the usage of the AIRTABLE_API_KEY environment variable in Airtable.js:

const Airtable = require('airtable');
const apiKey = process.env.AIRTABLE_API_KEY;

Airtable.configure({
    endpointUrl: 'https://api.airtable.com';,
    apiKey: apiKey
});

const base = Airtable.base('appXXXXXXXXXXXXXX');

/* Your Airtable.js code here */

Resolution

To fix this vulnerability, users should upgrade to Airtable.js version .11.6 or later. As an alternative, users can also unset the AIRTABLE_API_KEY environment variable in their shell and remove it from their .bashrc, .zshrc, or other shell configuration files.

Moreover, users should regenerate any Airtable API keys to ensure that they are not present in bundled code. This can be done by visiting Airtable's API key management page.

Original References

- Airtable.js GitHub Repository
- CVE-2022-46155 Vulnerability Details
- Airtable API Key Management

Conclusion

The security vulnerability in Airtable.js (CVE-2022-46155) highlights the importance of proper configuration management and awareness of potential risks in build processes. By upgrading to the latest version of Airtable.js and regenerating API keys, users can mitigate this risk and ensure their API keys remain secure.

Timeline

Published on: 11/29/2022 23:15:00 UTC
Last modified on: 07/07/2023 19:04:00 UTC