Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NpmToken detector should verify against the registry URL, if present #1455

Open
rgmz opened this issue Jul 5, 2023 · 1 comment · May be fixed by #3705
Open

NpmToken detector should verify against the registry URL, if present #1455

rgmz opened this issue Jul 5, 2023 · 1 comment · May be fixed by #3705
Labels
contributions welcomed Signal for help from the community! enhancement pkg/detectors PRs and Issues related to the `detectors` package

Comments

@rgmz
Copy link
Contributor

rgmz commented Jul 5, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The NpmToken v1 & v2 detectors are hard-coded to verify tokens against https://registry.npmjs.org/-/whoami:

trufflehog/pkg/detectors/npmtoken/npmtoken.go

Line 53 in a99d89d

req, err := http.NewRequestWithContext(ctx, "GET", "https://registry.npmjs.org/-/whoami", nil)

trufflehog/pkg/detectors/npmtokenv2/npmtokenv2.go

Line 53 in a99d89d

req, err := http.NewRequestWithContext(ctx, "GET", "https://registry.npmjs.org/-/whoami", nil)

However, npm can be used with registries other than the default (registry.npmjs.org), meaning that valid tokens can inadvertently be marked as unverified. This is especially likely in enterprise environments which often have internal instances of Nexus Repository, Artifactory, or other artifact repository managers, and do not use registry.npmjs.org directly..

Problem to be Addressed

The NpmToken detectors should verify the tokens against the relevant registry/registries, where possible.

Description of the Preferred Solution

NpmTokens are often found in the .npmrc configuration file, where they are required to be scoped to a specific registry.

For example, the following NpmTokens have enough contextual information for TruffleHog to determine what registries they should be checked against instead of registry.npmjs.org:

//artifactory.example.com/:_authToken=NpmToken.18b533de-b347-46bc-8d2e-ae6550c6a16a
//nexus.example.com/repository/npm-proxy/:_authToken=NpmToken.105d5de9-17d0-4a08-a5e9-3e5d7070225b

https://docs.npmjs.com/cli/v9/configuring-npm/npmrc#auth-related-configuration

Additional Context

References

N/A
@dustin-decker
Copy link
Contributor

Thanks for the information! This would be a good enhancement.

@zricethezav zricethezav added contributions welcomed Signal for help from the community! pkg/detectors PRs and Issues related to the `detectors` package labels Aug 25, 2023
@rgmz rgmz mentioned this issue Dec 28, 2023
Closed
2 tasks
@rgmz rgmz linked a pull request Dec 2, 2024 that will close this issue
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contributions welcomed Signal for help from the community! enhancement pkg/detectors PRs and Issues related to the `detectors` package
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Overhaul NPM detector rgmz/trufflehog
Overhaul npm detector rgmz/trufflehog
3 participants
@dustin-decker @zricethezav @rgmz