Glitch env secrets visible anonymous upon remixing

Glitch’s .env is divulging secrets, but only when remixing, despite this explicit mention that it clears out the secrets upon remix:

Only invited collaborators are able to see the contents of your .env file. So anonymous viewers or logged-in users who haven’t been invited to your project can’t see them. When remixing an app the values are cleared so they’re not copied across.

They are not visible in the root project anonymously: https://glitch.com/edit/#!/smartthings-rules-manager?path=.env:6:50

This is concerning, as we just sent out an email campaign driving developers to our Glitch example. Is this a bug in Glitch, or have we done something improperly resulting in this?

ye I am logged in and upon remixing your project, I could see 4-5 lines of values in the .env file.

I’m sure this must be a bug. @Glitch_Response

Ignore this, I forgot you sent the mass email:

For now, you should set your project to ‘Private’ mode so others won’t be able to see your secret info.

I deleted my remixed project without looking at the data in .env in detail

Best,
NL

1 Like

I’ll ping the support team! @glitch_support this seems like a security issue.

Hi @erodewald

Thanks for letting us know! I have notified the team and they will take a closer look at what’s going on. I’ll respond here once I get an update.

3 Likes

Glitch @Glitch_Response contacted me directly and found a resolution for me. For whatever reason, the 2nd line: REACT_APP_NAME=thing caused the problem, and removing it fixed it. I don’t have clarity on why, but perhaps Glitch can give us a retro once they fix it to regain some trust in the secrets functionality.

Shouldn’t mentioning .env in a .gitignore file prevent it from being copied when the project is remixed?

Maybe it could be due to a character of a different format? e.g Glitch fails to parse the .env file so it just copies it…?