Repeat.js TypeError with npm search #2780

Closed
danmooney opened this Issue Sep 3, 2012 · 3 comments

Projects

None yet

4 participants

@danmooney

Got this debug log after "npm search":

0 info it worked if it ends with ok
1 verbose cli [ 'C:\Program Files\nodejs\node.exe',
1 verbose cli 'C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js',
1 verbose cli 'search' ]
2 info using npm@1.1.59
3 info using node@v0.8.8
4 verbose node symlink C:\Program Files\nodejs\node.exe
5 verbose url raw /-/all/since?stale=update_after&startkey=1346693209000
6 verbose url resolving [ 'https://registry.npmjs.org/',
6 verbose url resolving './-/all/since?stale=update_after&startkey=1346693209000' ]
7 verbose url resolved https://registry.npmjs.org/-/all/since?stale=update_after&startkey=1346693209000
8 info retry registry request attempt 1 at 13:29:15
9 http GET https://registry.npmjs.org/-/all/since?stale=update_after&startkey=1346693209000
10 http 200 https://registry.npmjs.org/-/all/since?stale=update_after&startkey=1346693209000
11 error TypeError: Object Repeat.js is a javascript library that makes working with repeated actions pure joy by ,removing the need for setTimeout/setInterval and somewhat error prone timer references has no method 'replace'
11 error at C:\Program Files\nodejs\node_modules\npm\lib\search.js:184:19
11 error at Array.forEach (native)
11 error at C:\Program Files\nodejs\node_modules\npm\lib\search.js:176:7
11 error at Array.map (native)
11 error at prettify (C:\Program Files\nodejs\node_modules\npm\lib\search.js:162:6)
11 error at C:\Program Files\nodejs\node_modules\npm\lib\search.js:54:17
11 error at C:\Program Files\nodejs\node_modules\npm\lib\search.js:63:12
11 error at C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-client\lib\get.js:89:14
11 error at fs.close (C:\Program Files\nodejs\node_modules\npm\node_modules\graceful-fs\graceful-fs.js:92:5)
11 error at Object.oncomplete (fs.js:297:15)
12 error If you need help, you may report this log at:
12 error http://github.com/isaacs/npm/issues
12 error or email it to:
12 error npm-@googlegroups.com
13 error System Windows_NT 6.1.7601
14 error command "C:\Program Files\nodejs\node.exe" "C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js" "search"
15 error cwd C:\Users\Dan\Sites\node_tests\exercise_files\3 Modules\1 What is a module\data_module
16 error node -v v0.8.8
17 error npm -v 1.1.59
18 error type undefined_method
19 verbose exit [ 1, true ]

@mfncooper
Member

This is caused by a bug in the 'repeat' library. The package.json file for that package uses an array for the 'description' field. The spec in npm help json clearly states "It's a string". You'll need to take this up with the author of 'repeat'.

@mfncooper mfncooper closed this Sep 3, 2012
@deoxxa
deoxxa commented Sep 5, 2012

This seems like a pretty obvious DoS vector. Not sure "it's completely someone else's problem" is a great answer. You're right in that the description field was incorrect (I actually fixed it and sent a pull request) but that shouldn't completely break the npm client whenever it encounters invalid data.

Consider this: someone creates a module with the term "express" or "connect" in the tags, with an object in the description field. Now anyone searching for either of those terms (probably a couple of the most commonly searched for terms) gets a nice big error instead of their search results.

@isaacs
Member
isaacs commented Sep 8, 2012

@deoxxa I agree. It should be handled everywhere: in the registry to prevent this, in read-package-json to avoid attempting to publish such a thing, and in the client to coerce it to a string.

@isaacs isaacs reopened this Sep 8, 2012
@isaacs isaacs added a commit to npm/read-package-json that referenced this issue Sep 8, 2012
@isaacs isaacs Don't allow non-string description fields 1a3cdca
@isaacs isaacs added a commit that referenced this issue Sep 8, 2012
@isaacs isaacs search: Coerce fields to strings
re: #2780
6c64cda
@isaacs isaacs added a commit to npm/npm-registry-couchapp that referenced this issue Sep 8, 2012
@isaacs isaacs Require that description be a string if set c987fe4
@isaacs isaacs closed this Sep 8, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment