0

I've been looking through my in-production app's logs in GCP and noticed that the verification response that I am logging contains all my process.env values and secrets including TLS certificates, DB connection strings, everything.

Screenshot attached:

enter image description here

Which makes me realise this is probably something that any third party dependency with outbound connections can do.

My questions are:

  • is this normal
  • how can I check if the values are actually sent to a remote server
  • how can I prevent it -- if at all
SebastianG
  • 8,563
  • 8
  • 47
  • 111
  • This seems to be the response of the server application (and not from Twilio's verify service). Can you share the code that is executed when this endpoint is requested? – IObert Aug 16 '23 at 11:15
  • HI @IObert -- this is the whole response from this call: await this.twilio.verify.v2 .services(this.secrets.get('TWILIO_VERIFY_SID')) .verificationChecks.create({ to, code, }); where twilio is: this.twilio = new tw.Twilio(sid, token); – SebastianG Aug 16 '23 at 12:03
  • It seems to be your code is returning the full client object. When I check the response of the verificationChecks.create() call, it only have the following props: `['_version', 'sid', 'serviceSid', 'accountSid', 'to', 'channel', 'status', 'valid', 'amount', 'payee', 'dateCreated', 'dateUpdated', 'snaAttemptsErrorCodes', '_context', '_solution']`. Which client version are you using? – IObert Aug 16 '23 at 14:36

0 Answers0