From 3f0354f09ebb6f48423f83b2554518f5cce2e18b Mon Sep 17 00:00:00 2001
From: Scott Nonnenberg <scott@nonnenberg.com>
Date: Mon, 29 Jan 2018 16:57:49 -0800
Subject: [PATCH] Harden production against NODE_ENV environment variable
 (#2010)

Fixes #1999
---
 app/config.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/config.js b/app/config.js
index 237b781b4..d0eff76d7 100644
--- a/app/config.js
+++ b/app/config.js
@@ -2,8 +2,14 @@ const path = require('path');
 
 const electronIsDev = require('electron-is-dev');
 
-const defaultEnvironment = electronIsDev ? 'development' : 'production';
-const environment = process.env.NODE_ENV || defaultEnvironment;
+let environment;
+
+// In production mode, NODE_ENV cannot be customized by the user
+if (electronIsDev) {
+  environment = process.env.NODE_ENV || 'development';
+} else {
+  environment = 'production';
+}
 
 // Set environment vars to configure node-config before requiring it
 process.env.NODE_ENV = environment;