cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[SECURITY] npm i logs bearer token in case there is a formatting issue.

Open falk-stefan opened this issue 1 year ago • 3 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [ ] I am using the latest npm

Current Behavior

Accidentally providing a misformed token will print the bearer token to the log-output.

I wasn't sure if this is indeed a security risk but I figured it might not hurt to point it out in case it is. Please close the issue right away if this is not critical.

Expected Behavior

Do not print any bearer tokens to standard output.

Steps To Reproduce

Create a .npmrc file

@*******:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${GITHUB_NPM_PAT}

Accidentally append a newline \n to your token e.g.

echo ${{ secrets.GITHUB_TOKEN }} | gcloud secrets versions add $SECRET_NAME --data-file=-

instead of

echo -n ${{ secrets.GITHUB_TOKEN }} | gcloud secrets versions add $SECRET_NAME --data-file=-
     ^^

and npm i write the following to standard output:

Step #0: [0m[91mnpm error Bearer ghs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #0: npm error is not a legal HTTP header value

Environment

  • npm: 10.8.2
  • node: 20
  • OS: Ubuntu

falk-stefan avatar Oct 05 '24 18:10 falk-stefan

HI @falk-stefan Could you share private package for @tapntour so that i can quickly try to troubleshoot the issue to find the RC.

kchindam-infy avatar Oct 17 '24 19:10 kchindam-infy

introduced malformed token in npmrc config and tried it with latest node and npm version could not reproduce the issue, checked both the terminal output and details logs. Have you tried it on latest npm version, would you mind sharing the output screenshot. by masking the token.

kchindam-infy avatar Oct 18 '24 19:10 kchindam-infy

@kchindam-infy I'm sorry, I'm currently trying to get something out and do not have the time to give this a try at the moment. I did not use the latest version of npm but v10.8.2. I noticed the output in Google Cloud Build logs.

Since echo "text" will always append a \n I figured this must have been the issue and it started to work after adding the -n flag.

That being said.. I then noticed that these token seems to be short lived anyways and that I do not have to persist them which is why I no longer do this

echo ${{ secrets.GITHUB_TOKEN }} | gcloud secrets versions add $SECRET_NAME --data-file=-

in my CI/CD.

falk-stefan avatar Oct 19 '24 12:10 falk-stefan

The message was raised by node-fetch. Same case here and here.

However, since https://github.com/node-fetch/node-fetch/pull/843 (June 2020!), the error message has been changed and does not include the value anymore.

mbtools avatar Oct 22 '24 01:10 mbtools

Alright, guess this can be closed then. :+1:

falk-stefan avatar Oct 26 '24 10:10 falk-stefan