From 054b6c1bc7551d4b1202b5e7fb2e50e546821e77 Mon Sep 17 00:00:00 2001 From: Assaf Sapir Date: Wed, 12 Aug 2020 13:04:50 +0300 Subject: [PATCH 1/2] Chore: Do not send user secret in the referer header --- .gitignore | 1 + lib/hook.js | 13 ++++++++++ test/tap/referer.js | 60 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+) diff --git a/.gitignore b/.gitignore index cc49b15f8d3f1..3c152e740e159 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ npm-debug.log /node_modules/.cache .DS_Store **/.DS_Store +.vscode/ \ No newline at end of file diff --git a/lib/hook.js b/lib/hook.js index 54aea9f1e9d20..4d980cf95d15e 100644 --- a/lib/hook.js +++ b/lib/hook.js @@ -10,6 +10,7 @@ const pudding = require('figgy-pudding') const relativeDate = require('tiny-relative-date') const Table = require('cli-table3') const validate = require('aproba') +const npm = require('./npm') hook.usage = [ 'npm hook add [--type=]', @@ -40,6 +41,10 @@ module.exports = (args, cb) => BB.try(() => hook(args)).then( err => err.code === 'EUSAGE' ? cb(err.message) : cb(err) ) function hook (args) { + if (args.length === 4) { // secret is passed in the args + // we have the user secret in the CLI args, we need to redact it from the referer. + redactUserSecret() + } return otplease(npmConfig(), opts => { opts = HookConfig(opts) switch (args[0]) { @@ -150,3 +155,11 @@ function hookName (hook) { if (hook.type === 'owner') { target = '~' + target } return target } + +function redactUserSecret () { + const referer = npm.referer + if (!referer) return + const splittedReferer = referer.split(' ') + splittedReferer[4] = '[REDACTED]' + npm.referer = splittedReferer.join(' ') +} diff --git a/test/tap/referer.js b/test/tap/referer.js index 8c3dbed72c319..6df676db62e27 100644 --- a/test/tap/referer.js +++ b/test/tap/referer.js @@ -21,3 +21,63 @@ test('should send referer http header', function (t) { }) }) }) + +test('should redact user secret from hook add command', function (t) { + http.createServer(function (q, s) { + t.equal(q.headers.referer, 'hook add ~zkat [REDACTED] [REDACTED]') + s.statusCode = 204 + s.end() + this.close() + }).listen(common.port, function () { + var reg = `http://localhost:${common.port}` + var args = [ 'hook', 'add', '~zkat', 'https://example.com', 'sekrit', '--registry', reg ] + common.npm(args, {}, function (er, code) { + if (er) { + throw er + } + // should not have ended nicely, since we returned an error + t.ok(code) + t.end() + }) + }) +}) + +test('should redact user secret from hook up command', function (t) { + http.createServer(function (q, s) { + t.equal(q.headers.referer, 'hook up ~zkat [REDACTED] [REDACTED]') + s.statusCode = 204 + s.end() + this.close() + }).listen(common.port, function () { + var reg = `http://localhost:${common.port}` + var args = [ 'hook', 'up', '~zkat', 'https://example.com', 'sekrit', '--registry', reg ] + common.npm(args, {}, function (er, code) { + if (er) { + throw er + } + // should not have ended nicely, since we returned an error + t.ok(code) + t.end() + }) + }) +}) + +test('should redact user secret from hook update command', function (t) { + http.createServer(function (q, s) { + t.equal(q.headers.referer, 'hook update ~zkat [REDACTED] [REDACTED]') + s.statusCode = 204 + s.end() + this.close() + }).listen(common.port, function () { + var reg = `http://localhost:${common.port}` + var args = [ 'hook', 'update', '~zkat', 'https://example.com', 'sekrit', '--registry', reg ] + common.npm(args, {}, function (er, code) { + if (er) { + throw er + } + // should not have ended nicely, since we returned an error + t.ok(code) + t.end() + }) + }) +}) From 15d9936b57447c53dab7253db275a6c4647eae88 Mon Sep 17 00:00:00 2001 From: Assaf Sapir Date: Thu, 13 Aug 2020 08:27:18 +0300 Subject: [PATCH 2/2] Add newline --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 3c152e740e159..f4cf640f7ac9f 100644 --- a/.gitignore +++ b/.gitignore @@ -26,4 +26,4 @@ npm-debug.log /node_modules/.cache .DS_Store **/.DS_Store -.vscode/ \ No newline at end of file +.vscode/