arangodb
diff --git a/‎3.7/security-security-options.md‎
Lines changed: 117 additions & 70 deletions b/‎3.7/security-security-options.md‎
Lines changed: 117 additions & 70 deletions
@@ -62,7 +62,27 @@ ArangoDB will use.
 These patterns and how they are applied can be observed by enabling 
 `--log.level SECURITY=debug` in the `arangod` or `arangosh` log output.
 
-#### Combining patterns
+### Options for blacklisting and whitelisting
+
+The following options are available for blacklisting and whitelisting access
+to dedicated functionality for application code:
+
+- `--javascript.startup-options-[whitelist|blacklist]`:
+  These options control which startup options will be exposed to JavaScript code.
+
+- `--javascript.environment-variables-[whitelist|blacklist]`:
+  These options control which environment variables will be exposed to
+  JavaScript code.
+
+- `--javascript.files-whitelist`:
+  This option controls which filesystem paths can be accessed from JavaScript
+  code. There is only a whitelist option for file access.
+
+- `--javascript.endpoints-[whitelist|blacklist]`:
+  These options control which endpoints can be used from within the
+  `@arangodb/request` JavaScript module.
+
+#### Startup option access
 
 The security option to observe the behavior of the pattern matching most easily
 is the masquerading of the startup options:
@@ -81,7 +101,7 @@ These sets will resolve internally to the following regular expressions:
 --javascript.startup-options-blacklist = "^javascript\.|endpoint"
 ```
 
-Invoking an arangosh with these options will hide the blacklisted commandline
+Invoking arangosh with these options will hide the blacklisted commandline
 options from the output of: 
 
 ```js
@@ -91,6 +111,57 @@ require('internal').options()
 … and an exception will be thrown when trying to access items that are masked
 in the same way as if they weren't there in first place.
 
+#### Environment variable access
+
+Access to environment variables can be restricted to hide sensitive information
+from JavaScript code, for example:
+
+```
+--javascript.environment-variables-whitelist "^ARANGO_"
+--javascript.environment-variables-blacklist "PASSWORD"
+```
+
+This will allow JavaScript code to only see environment variables that start
+with `ARANGO_` except if they contain `PASSWORD`. It excludes the variables
+`PATH` and `ARANGO_ROOT_PASSWORD` for instance.
+
+Note that regular expression matching is case-sensitive. `PASSWORD` will not
+exclude environment variables that include `password`. You may use
+`[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]` for case-insensitive matching.
+
+You can test the black/whitelisting in _arangosh_, here using the ArangoDB 3.7
+Docker image:
+
+```
+docker run --rm -e ARANGO_ROOT_PASSWORD="secret" arangodb:3.7 arangosh --javascript.execute-string "print(process.env)"
+...
+{
+  "ARANGO_PACKAGE" : "arangodb3_3.7.15-1_amd64.deb",
+  "HOSTNAME" : "84fe29186eba",
+  "SHLVL" : "1",
+  "HOME" : "/root",
+  "ARANGO_ROOT_PASSWORD" : "secret",
+  "ARANGO_VERSION" : "3.7.15",
+  "PATH" : "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+  "ARANGO_URL" : "https://download.arangodb.com/arangodb37/DEBIAN/amd64",
+  "ARANGO_PACKAGE_URL" : "https://download.arangodb.com/arangodb37/DEBIAN/amd64/arangodb3_3.7.15-1_amd64.deb",
+  "ARANGO_SIGNATURE_URL" : "https://download.arangodb.com/arangodb37/DEBIAN/amd64/arangodb3_3.7.15-1_amd64.deb.asc",
+  "PWD" : "/",
+  "GLIBCXX_FORCE_NEW" : "1",
+  "ICU_DATA" : "/usr/share/arangodb3/"
+}
+
+docker run --rm -e ARANGO_ROOT_PASSWORD="secret" arangodb:3.7 arangosh --javascript.execute-string "print(process.env)" --javascript.environment-variables-whitelist "^ARANGO_" --javascript.environment-variables-blacklist "PASSWORD"
+...
+[Object {
+  "ARANGO_PACKAGE" : "arangodb3_3.7.15-1_amd64.deb",
+  "ARANGO_VERSION" : "3.7.15",
+  "ARANGO_URL" : "https://download.arangodb.com/arangodb37/DEBIAN/amd64",
+  "ARANGO_PACKAGE_URL" : "https://download.arangodb.com/arangodb37/DEBIAN/amd64/arangodb3_3.7.15-1_amd64.deb",
+  "ARANGO_SIGNATURE_URL" : "https://download.arangodb.com/arangodb37/DEBIAN/amd64/arangodb3_3.7.15-1_amd64.deb.asc"
+}]
+```
+
 #### File access
 
 In contrast to other areas, access to directories and files from JavaScript
@@ -131,65 +202,65 @@ The endpoint black/white listing limits access to external HTTP resources:
 --javascript.endpoints-whitelist "<regex>"
 ```
 
-Filtering is done against the protocol, hostname / IP address, and the port.
-It is not possible to restrict URL paths or other parts of a URL.
-
-In contrast to the URLs specified in JavaScript code, the filters have
-to be specified in the ArangoDB endpoints notation for the startup options:
-
-- `tcp://` instead of `http://`
-- `ssl://` instead of `https://`
-- If no protocol is specified, then it will match both (tcp/http and ssl/https).
+Filtering is done against the full request URL, including protocol, domain /
+IP address, port, and path.
 
 {% hint 'security' %}
 Keep in mind that these startup options are treated as regular expressions.
-It is recommended to fully specify protocol, host and port and to use a
-leading `^` and trailing `$` to ensure that no other than the intended URLs
-are matched.
+Certain characters have special mean
D0E4
ing that may require escaping and the
+expression only needs to match a substring by default. It is recommended to
+fully specify URLs and to use a leading `^` and potentially a trailing `$` to
+ensure that no other than the intended URLs are matched.
 {% endhint %}
 
 Specifying `arangodb.org` will match:
- - `http://arangodb.org`
- - `https://arangodb.org`
- - `https://arangodb.org:12345`
- - `https://subdomain.arangodb.organic` **(!)**
- - `https://arangodb-org.evil.com` **(!)**
- - etc.
+- `http://arangodb.org`
+- `https://arangodb.org`
+- `https://arangodb.org:12345`
+- `https://subdomain.arangodb.organic` **(!)**
+- `https://arangodb-org.evil.domain` **(!)**
+- etc.
 
 An unescaped `.` represents any character. For a literal dot use `\.`.
 
-Specifying `tcp://arangodb\.org` will match:
- - `http://arangodb.org`
- - `http://arangodb.org:12345`
- - `http://arangodb.organic` **(!)**
- - etc.
+Specifying `http://arangodb\.org` will match:
+- `http://arangodb.org`
+- `http://arangodb.org:12345`
+- `http://arangodb.organic` **(!)**
+- `http://arangodb.org.evil.domain` **(!)**
+- etc.
+
+Specifying `^http://arangodb\.org$` will only match `http://arangodb.org`.
+Despite port 80 being the default HTTP port, this will not match
+`http://arangodb.org:80` with an explicitly stated port. Conversely, specifying
+`^http://arangodb\.org:80$` will match `http://arangodb.org:80` with an explicit
+port in the request URL but not `http://arangodb.org` with the port left out.
+To allow both, you can make the port optional like `^http://arangodb\.org(:80)?$`.
+However, the trailing `$` demands that the URL has no path. This means
+`http://arangodb.org/folder/file.html` and even `http://arangodb.org/` will not
+match. You can specify `^http://arangodb\.org(:80)?/` to allow any path (but
+the trailing slash will be needed in the request URL).
+
+Specifying `^https?://arangodb\.org(:80|:443)?(/|$)` will match:
+- `http://arangodb.org`
+- `http://arangodb.org/`
+- `http://arangodb.org/folder/file.html`
+- `http://arangodb.org:80`
+- `http://arangodb.org:80/`
+- `http://arangodb.org:80/folder/file.html`
+- `https://arangodb.org:443`
+- `https://arangodb.org:443/`
+- `https://arangodb.org:443/folder/file.html`
+- etc.
 
-Specifying `^tcp://arangodb\.org:80$` will match:
- - `http://arangodb.org`
- - `http://arangodb.org:80`
-
-Note that `^tcp://arangodb\.org$` will not match anything, because the port
-(here: `:80`) is added internally after `.org` but the expression demands that
-the address must not have a port (`\.org$`).
-
-Specifying `^ssl://arangodb\.org:443$` will match:
- - `https://arangodb.org`
- - `https://arangodb.org:443`
-
-Specifying `^(tcp|ssl)://arangodb.org:(80|443)$` will match:
- - `http://arangodb.org`
- - `http://arangodb.org:80`
- - `http://arangodb.org:443`
- - `https://arangodb.org`
- - `https://arangodb.org:80`
- - `https://arangodb.org:443`
 
 You can test the black/whitelisting in _arangosh_:
 
 ```
-arangosh --javascript.endpoints-whitelist "^ssl://arangodb\.org:443$"
+arangosh --javascript.endpoints-whitelist "^https://arangodb\.org(:443)?/"
 127.0.0.1:8529@_system> require('internal').download('http://arangodb.org/file.zip')
-JavaScript exception: ArangoError 11: not allowed to connect to this endpoint
+JavaScript exception: ArangoError 11: not allowed to connect to this URL: http://arangodb.org/file.zip
+...
 
 127.0.0.1:8529@_system> require('internal').download('https://arangodb.org/file.zip')
 <request permitted by whitelist>
@@ -205,30 +276,6 @@ Examples are:
   wrapped in double quotes (`"^http…"`).
 {% endhint %}
 
-### Options for blacklisting and whitelisting
-
-The following options are available for blacklisting and whitelisting access
-to dedicated functionality for application code:
-
-- `--javascript.startup-options-[whitelist|blacklist]`:
-  These options control which startup options will be exposed to JavaScript code, 
-  following above rules for blacklists and whitelists.
-
-- `--javascript.environment-variables-[whitelist|blacklist]`:
-  These options control which environment variables will be exposed to JavaScript
-  code, following above rules for blacklists and whitelists.
-
-- `--javascript.endpoints-[whitelist|blacklist]`:
-  These options control which endpoints can be used from within the `@arangodb/request`
-  JavaScript module.
-  Endpoint values are passed into the filter in a normalized format starting
-  with either of the prefixes `tcp://`, `ssl://`, `unix://` or `srv://`.
-  Note that for HTTP/SSL-based endpoints the port number will be included too,
-  and that the endpoint can be specified either as an IP address or host name
-  from application code.
-
-- `--javascript.files-whitelist`:
-  This option controls which filesystem paths can be accessed from JavaScript code.
 
 ### Additional JavaScript security options