Skip to content

Security: Global runtime environment object is mutable and exposed by reference#4627

Open
tuanaiseo wants to merge 1 commit intomodule-federation:mainfrom
tuanaiseo:contribai/fix/security/global-runtime-environment-object-is-mut
Open

Security: Global runtime environment object is mutable and exposed by reference#4627
tuanaiseo wants to merge 1 commit intomodule-federation:mainfrom
tuanaiseo:contribai/fix/security/global-runtime-environment-object-is-mut

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 6, 2026

Problem

setRuntimeEnv stores a process-global object and getRuntimeEnv returns the same object reference. In long-lived server processes, this can cause cross-request state contamination and accidental or malicious mutation by downstream code, potentially altering security-sensitive runtime behavior.

Severity: medium
File: packages/treeshake-server/src/utils/runtimeEnv.ts

Solution

Clone and freeze runtime env on write/read (Object.freeze({...env})), avoid returning mutable references, and scope environment state per request/context instead of global module state where feasible.

Changes

  • packages/treeshake-server/src/utils/runtimeEnv.ts (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security)(treeshake-server): global runtime environment object is…
7ac2179 
… mutable and e

`setRuntimeEnv` stores a process-global object and `getRuntimeEnv` returns the same object reference. In long-lived server processes, this can cause cross-request state contamination and accidental or malicious mutation by downstream code, potentially altering security-sensitive runtime behavior.

Affected files: runtimeEnv.ts

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
@netlify
Copy link
Copy Markdown

netlify bot commented Apr 6, 2026
edited
Loading

Deploy Preview for module-federation-docs ready!

Name Link
🔨 Latest commit 7ac2179
🔍 Latest deploy log https://app.netlify.com/projects/module-federation-docs/deploys/69d3961f7f57460008bf105d
😎 Deploy Preview https://deploy-preview-4627--module-federation-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 6, 2026

⚠️ No Changeset found

Latest commit: 7ac2179

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@2heal1
Copy link
Copy Markdown
Member

2heal1 commented Apr 7, 2026

"LGTM. However, since runtimeEnv is already shallow cloned and frozen inside setRuntimeEnv, returning the reference directly in getRuntimeEnv is completely safe and avoids unnecessary object allocation/GC overhead on every getter call.Could we optimize this before merging?"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tuanaiseo @2heal1