Skip to content

Commit

Permalink
fix(config): be more aggressive about hiding protected values (#7504)
Browse files Browse the repository at this point in the history
Err on the side of not displaying things even if they're not valid
config
  • Loading branch information
wraithgar authored May 10, 2024
1 parent bdd2aae commit db62910
Show file tree
Hide file tree
Showing 3 changed files with 214 additions and 169 deletions.
39 changes: 34 additions & 5 deletions lib/commands/config.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,33 @@ const { log, output } = require('proc-log')
const BaseCommand = require('../base-cmd.js')

// These are the configs that we can nerf-dart. Not all of them currently even
// *have* config definitions so we have to explicitly validate them here
// *have* config definitions so we have to explicitly validate them here.
// This is used to validate during "npm config set"
const nerfDarts = [
'_auth',
'_authToken',
'username',
'_password',
'certfile',
'email',
'keyfile',
'username',
]
// These are the config values to swap with "protected". It does not catch
// every single sensitive thing a user may put in the npmrc file but it gets
// the common ones. This is distinct from nerfDarts because that is used to
// validate valid configs during "npm config set", and folks may have old
// invalid entries lying around in a config file that we still want to protect
// when running "npm config list"
// This is a more general list of values to consider protected. You can not
// "npm config get" them, and they will not display during "npm config list"
const protected = [
'auth',
'authToken',
'certfile',
'email',
'keyfile',
'password',
'username',
]

// take an array of `[key, value, k2=v2, k3, v3, ...]` and turn into
Expand All @@ -40,10 +58,21 @@ const publicVar = k => {
if (k.startsWith('_')) {
return false
}
// //localhost:8080/:_password
if (k.startsWith('//') && k.includes(':_')) {
if (protected.includes(k)) {
return false
}
// //localhost:8080/:_password
if (k.startsWith('//')) {
if (k.includes(':_')) {
return false
}
// //registry:_authToken or //registry:authToken
for (const p of protected) {
if (k.endsWith(`:${p}`) || k.endsWith(`:_${p}`)) {
return false
}
}
}
return true
}

Expand Down Expand Up @@ -320,7 +349,7 @@ ${defData}
const src = this.npm.config.find(k)
const overridden = src !== where
msg.push((overridden ? '; ' : '') +
`${k} = ${v} ${overridden ? `; overridden by ${src}` : ''}`)
`${k} = ${v}${overridden ? ` ; overridden by ${src}` : ''}`)
}
msg.push('')
}
Expand Down
Loading

0 comments on commit db62910

Please sign in to comment.