fix: clean password by using url object itself #178
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note
I was asked to open a PR here because it doesn't seem to have that significant risk to npm, but it's best practice to fix this issue, So I just took a copy of the report reported to GitHub Security Team at HackerOne with ID
1917565
, that's the full details for the issue including the fix for this issueDescription:
An invalid replacement has been discovered on npm-cli function
replaceInfo
that's responsible for removing passwords from URLs getting passed to npm, to disallow it from being stored and saved on the logs exposing users passwords since there's many custom private registries at the time that big companies usesNormally the format of HTTP basic authentication credentials is
http://username:password@hostname/path
, thereplaceInfo
function is just replacing the password text with****
four stars by default every time no matter the length of the password, But it hasn't been any sort of validation on the order of the replace function, that means if the basic authentication credentials is the same meaning the username and the password is the sameadmin:admin
thereplaceInfo
function gonna replace the username as the first item instead of replacing the password, showing and confirming for sure the password for that host confirming it's the same as the username.The code is located inside
npm-registry-fetch/lib/clean-url.js
, and the vulnerable code is located hereThe problem with your code is that you're replacing the original
str
that's usually the full URL trying to remove the parsedurl.password
object withreplace
object, and theString.prototype.replace()
function in javascript normally has a max replace of1
that would end up replacing the username of every caseI have modified and written a patch for this issue, Instead of replacing the original
str
variable and giving a chance for the max replace to happen, or implementing an algorithm to keep track of the replaces, I just rebuilt the URL using theurl
object settingurl.password = replace
then building theurl
usingstr = url.toString()
, That's a 100% safe solution for this issue and I have tested it alreadyHere's the new code for
clean-url.js
Should I open a PR on https://github.com/npm/npm-registry-fetch to save you the time?
Steps To Reproduce:
npm ping --registry=http://admin:admin@localhost/
clean-url.js
as I mentioned and try the same command againCheers
Impact
Basic authentication credentials disclosure in certain cases where the username is the same as the password confirmed by the invalid protection method