DEV Community

Cover image for Your AI Can Read Your .env File - Unless You Stop It Like This
Playful Programming profile image Gianluca La Manna
Gianluca La Manna for Playful Programming

Posted on

Your AI Can Read Your .env File - Unless You Stop It Like This

#javascript #security #ai #node

Let’s be honest: giving an AI Agent access to our file system is incredibly convenient. It can write code, fix bugs, and analyze logs in an instant.

However, with great power comes great responsibility. If the AI decides (or is tricked via prompt injection) to read your .env file, your API keys, database passwords, and production secrets are potentially compromised. This remains a critical risk even if you use premium plans - which generally preserve data privacy compared to free tiers that use data for training - because the vulnerability lies in the execution access you've granted.

Let's look at how to implement a "read_hook" in Node.js to block the reading of these sensitive files.

The Problem: AI is Too Curious

AI agents typically operate by receiving instructions and parameters in JSON format. If a system tool allows the AI to read a file via a path parameter, the AI will simply attempt to execute that command if it deems it useful for the user's request.

The Solution: Intercepting the Request

The most effective approach is to insert a control middleware (a hook) between the output generated by the AI and the actual execution on your system.
Configure your hook based on the coding agent you are using.
Eg: Claude, Gemini

Let’s analyze this Node.js code snippet:

async function main() {
  const chunks = [];
  // 1. Read the input from standard input (stdin)
  for await (const chunk of process.stdin) {
    chunks.push(chunk);
  }

  const toolArgs = JSON.parse(Buffer.concat(chunks).toString());

  // 2. Extract the path the AI is trying to read
  const readPath = 
    toolArgs.tool_input?.file_path || toolArgs.tool_input?.path || "";

  // 3. Security Check: Prevent access to .env files
  if(readPath.includes('.env')) {
    console.error("SECURITY ERROR: You cannot read the .env file");
    process.exit(2); // Forced exit with error code
  }

  // If the check passes, proceed with the read operation...
}
Enter fullscreen mode Exit fullscreen mode

Why This Approach Works

  • Fail-Fast: Instead of just returning a text error to the AI (which might try to bypass it with another prompt), the process terminates abruptly with process.exit(2).

  • Parameter Analysis: It doesn't matter if the AI calls the field file_path or simply path; the hook covers both common naming conventions.

  • Zero Trust: We don't rely on the "common sense" of the model or system prompts. We enforce a hard-coded rule at the operating system level.

Beyond Simple .env: Best Practices

Blocking just the .env string is a good start, but in a production environment, you should consider:

  1. Whitelisting vs. Blacklisting: Instead of just banning .env files, allow the AI to read only from a specific folder (e.g., /src).

  2. Path Normalization: Use path.resolve() to prevent the AI from using "dot notation" (../../.env) to climb out of the intended directory and bypass checks

  3. Isolated Environments: Whenever possible, run the AI inside a Docker container or a sandbox with restricted file permissions.

Conclusion

Integrating AI tools into our workflows is the future, but security must not be an afterthought. A simple script of just a few lines can be the difference between a productive day and a catastrophic data breach.

Top comments (3)

Collapse
 
ingosteinke profile image
Ingo Steinke, web developer

Reading .env files should be no problem in a development environment with access data for localhost and remote staging servers. If there is an .env file containing any production credentials inside a developer's development repository, that's a security flaw with or without AI.

Collapse
 
thecoder93 profile image
Gianluca La Manna Playful Programming

True, but there’s another aspect: even a staging API key in a local .env is a 'live' secret. If the AI reads it and sends it to its servers, that key is technically exposed. Personally, I prefer that no secrets leave the local perimeter, even if they are just for dev, to avoid the hassle of having to constantly rotate them. The article was intended to highlight how hooks can be an excellent solution for automating protection even in specific cases like these.

Collapse
 
trinhcuong-ast profile image
Kai Alder

Good point about the whitelisting approach. I've been running Claude Code on a VPS and the first thing I did was set up a sandbox with limited file access — but honestly I hadn't thought about hooks as an additional layer.

One thing worth mentioning: the .env string check alone can be bypassed pretty easily. Something like cat .e\nv or reading the file through a symlink would get past it. The path.resolve() + whitelist combo you mention is really the way to go.

Also wondering if anyone's looked into using Linux seccomp or AppArmor profiles for this instead of application-level hooks? Feels like OS-level restrictions would be harder to circumvent than anything running in userspace.