Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] npm i logs bearer token in case there is a formatting issue. #7819

Open
1 of 2 tasks
falk-stefan opened this issue Oct 5, 2024 · 3 comments
Open
1 of 2 tasks

[SECURITY] npm i logs bearer token in case there is a formatting issue. #7819

falk-stefan opened this issue Oct 5, 2024 · 3 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps

Comments

@falk-stefan
Copy link

falk-stefan commented Oct 5, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Accidentally providing a misformed token will print the bearer token to the log-output.

I wasn't sure if this is indeed a security risk but I figured it might not hurt to point it out in case it is. Please close the issue right away if this is not critical.

Expected Behavior

Do not print any bearer tokens to standard output.

Steps To Reproduce

Create a .npmrc file

@*******:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${GITHUB_NPM_PAT}

Accidentally append a newline \n to your token e.g.

echo ${{ secrets.GITHUB_TOKEN }} | gcloud secrets versions add $SECRET_NAME --data-file=-

instead of

echo -n ${{ secrets.GITHUB_TOKEN }} | gcloud secrets versions add $SECRET_NAME --data-file=-
     ^^

and npm i write the following to standard output:

Step #0: �[0m�[91mnpm error Bearer ghs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Step #0: npm error is not a legal HTTP header value

Environment

  • npm: 10.8.2
  • node: 20
  • OS: Ubuntu
@falk-stefan falk-stefan added Bug thing that needs fixing Needs Triage needs review for next steps labels Oct 5, 2024
@kchindam-infy
Copy link

HI @falk-stefan Could you share private package for @TapNTour so that i can quickly try to troubleshoot the issue to find the RC.

@kchindam-infy
Copy link

introduced malformed token in npmrc config and tried it with latest node and npm version could not reproduce the issue, checked both the terminal output and details logs. Have you tried it on latest npm version, would you mind sharing the output screenshot. by masking the token.

@falk-stefan
Copy link
Author

@kchindam-infy I'm sorry, I'm currently trying to get something out and do not have the time to give this a try at the moment. I did not use the latest version of npm but v10.8.2. I noticed the output in Google Cloud Build logs.

Since echo "text" will always append a \n I figured this must have been the issue and it started to work after adding the -n flag.

That being said.. I then noticed that these token seems to be short lived anyways and that I do not have to persist them which is why I no longer do this

echo ${{ secrets.GITHUB_TOKEN }} | gcloud secrets versions add $SECRET_NAME --data-file=-

in my CI/CD.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@falk-stefan @kchindam-infy