Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Password in plain text when getting the proxy details from config through CLI #3867

Closed
1 task done
OutOfCoffeeError opened this issue Oct 9, 2021 · 1 comment · Fixed by #7521
Closed
1 task done

[BUG] Password in plain text when getting the proxy details from config through CLI #3867

OutOfCoffeeError opened this issue Oct 9, 2021 · 1 comment · Fixed by #7521
Assignees
@lukekarrys
Labels
Bug thing that needs fixing Release 6.x work is associated with a specific npm 6 release Security security related

Comments

@OutOfCoffeeError
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Whenever we set the proxy in our config through CLI command
npm config set proxy "http://username:password@servername:port/"
It is stored in plain text in our config, so whenever we fire the following command
npm get proxy
the sensitive information like password is shown on CLI, which I think is a security vulnerability.
Also, the password is also stored in your local config file as a plain text.

Expected Behavior

When npm get proxy is fired, the password should not be shown or should be encrypted. Password in your local npm config file also should be encrypted.

Steps To Reproduce

first run the command to setup your proxy for npm
npm config set proxy "http://domain\username:password@servername:port/"
then run
npm get proxy

Environment

  • OS: Windows
  • Node: 12.16.3
  • npm: 6.14.4
@OutOfCoffeeError OutOfCoffeeError added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Oct 9, 2021
@ljharb
Copy link
Collaborator

ljharb commented Oct 9, 2021

The security vulnerability is using http basic auth at all.

There’s no way to avoid storing the password in the clear, since it’s part of the URL. Even if it were encrypted in npmrc, a user could use wireshark to view the fully decrypted url.

@ruyadorno ruyadorno added Release 6.x work is associated with a specific npm 6 release and removed Release 7.x work is associated with a specific npm 7 release Needs Triage needs review for next steps labels Jan 25, 2022
@lukekarrys lukekarrys added the Security security related label Apr 11, 2022
@lukekarrys lukekarrys self-assigned this May 11, 2024
lukekarrys added a commit that referenced this issue May 13, 2024
@lukekarrys
fix(config): protect proxy if it contains basic auth
724e102 
Fixes #3867
@lukekarrys lukekarrys mentioned this issue May 13, 2024
Merged
lukekarrys added a commit that referenced this issue May 14, 2024
@lukekarrys
fix(config): use redact on config output (#7521)
badeac2 
Fixes #3867
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukekarrys lukekarrys

Labels
Bug thing that needs fixing Release 6.x work is associated with a specific npm 6 release Security security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(config): use redact on config output npm/cli
4 participants
@ljharb @ruyadorno @lukekarrys @OutOfCoffeeError