fix: redact all private keys from config output

npm · Dec 8, 2021 · a02ede5 · a02ede5
1 parent e1da1fa
commit a02ede5
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/lib/commands/config.js b/lib/commands/config.js
@@ -28,7 +28,17 @@ const keyValues = args => {
   return kv
 }
 
-const publicVar = k => !/^(\/\/[^:]+:)?_/.test(k)
+const publicVar = k => {
+  // _password
+  if (k.startsWith('_')) {
+    return false
+  }
+  // //localhost:8080/:_password
+  if (k.startsWith('//') && k.includes(':_')) {
+    return false
+  }
+  return true
+}
 
 const BaseCommand = require('../base-command.js')
 class Config extends BaseCommand {
@@ -147,7 +157,7 @@ class Config extends BaseCommand {
     const out = []
     for (const key of keys) {
       if (!publicVar(key)) {
-        throw `The ${key} option is protected, and cannot be retrieved in this way`
+        throw new Error(`The ${key} option is protected, and cannot be retrieved in this way`)
       }
 
       const pref = keys.length > 1 ? `${key}=` : ''

diff --git a/lib/utils/exit-handler.js b/lib/utils/exit-handler.js
@@ -116,6 +116,7 @@ const exitHandler = err => {
       exitCode = err.code
       noLogMessage = true
     } else if (typeof err === 'string') {
+      // XXX: we should stop throwing strings
       log.error('', err)
       noLogMessage = true
     } else if (!(err instanceof Error)) {

diff --git a/test/lib/commands/config.js b/test/lib/commands/config.js
@@ -333,7 +333,13 @@ t.test('config get private key', async t => {
 
   await t.rejects(
     sandbox.run('config', ['get', '_authToken']),
-    '_authToken is protected',
+    /_authToken option is protected/,
+    'rejects with protected string'
+  )
+
+  await t.rejects(
+    sandbox.run('config', ['get', '//localhost:8080/:_password']),
+    /_password option is protected/,
     'rejects with protected string'
   )
 })