-
Notifications
You must be signed in to change notification settings - Fork 3k
npm uses auth token from registry on http[s]:// dependencies, breaking BitBucket URLs #8380
Comments
This has been moved to the npm roadmap, which we're using instead of the confusing |
The 302s are definitely our (Bitbucket's) fault though. We should be able to get back a saner status code and stop the infinite redirect. Can anyone point me where the http request is made in npm? |
@wbinnssmith https://github.com/npm/npm-registry-client/blob/master/lib/fetch.js#L68-L91 is the bit that actually invokes |
I'm having trouble reproducing this (I'm one of the Bitbucket devs). Can you reproduce this with curl on the command line and hand me a command I can test with? Go ahead and obscure the actual token value. |
I would think this can be considered a security issue - you're leaking the npm auth token to a web server hosting a dependency. For repro, you can use this:
The Azure blob storage will give you 403 because of the bearer token. |
Yes, this is a security issue. I have reported this in November 2015 to
There is a related issue here: mapbox/mapbox-upload-validate#28 My full report to them is here: I noticed that npm is adding Authorization header with all requests it is making, to all sites, giving my npm token to everyone. And it is doing that even over plain connections. For example if I have
And I run
See the My
So, observe that I used HTTP and not HTTPS with requestb.in. I observed this when downloading file from AWS because AWS was returning HTTP 400 because the authorization header was invalid for them. |
npm@2.10.1
Excerpt from the log:
further:
Removing auth token with
npm logout
helps. Apparently BitBucket server reacts badly to foreign auth tokens. This issue has not been observed with npm 1.x.The text was updated successfully, but these errors were encountered: