From 80c6f732bd32baedc52f5271d1409834007402a7 Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Fri, 18 Mar 2022 20:47:05 -0700 Subject: [PATCH 1/2] chore: remove unused log file --- lib/silentlog.js | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 lib/silentlog.js diff --git a/lib/silentlog.js b/lib/silentlog.js deleted file mode 100644 index 483bd44c..00000000 --- a/lib/silentlog.js +++ /dev/null @@ -1,14 +0,0 @@ -'use strict' - -const noop = Function.prototype -module.exports = { - error: noop, - warn: noop, - notice: noop, - info: noop, - verbose: noop, - silly: noop, - http: noop, - pause: noop, - resume: noop, -} From 5e148f1f026f8f2edee040aa418cd88fae173a65 Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Fri, 18 Mar 2022 20:47:34 -0700 Subject: [PATCH 2/2] feat: clean token from logged urls and export helper --- lib/check-response.js | 15 ++------------- lib/clean-url.js | 24 ++++++++++++++++++++++++ lib/index.js | 2 ++ test/check-response.js | 28 ++++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 13 deletions(-) create mode 100644 lib/clean-url.js diff --git a/lib/check-response.js b/lib/check-response.js index 872ec8a8..71451390 100644 --- a/lib/check-response.js +++ b/lib/check-response.js @@ -4,6 +4,7 @@ const errors = require('./errors.js') const { Response } = require('minipass-fetch') const defaultOpts = require('./default-opts.js') const log = require('proc-log') +const cleanUrl = require('./clean-url.js') /* eslint-disable-next-line max-len */ const moreInfoUrl = 'https://github.com/npm/cli/wiki/No-auth-for-URI,-but-auth-present-for-scoped-registry' @@ -45,19 +46,7 @@ function logRequest (method, res, startTime) { const attemptStr = attempt && attempt > 1 ? ` attempt #${attempt}` : '' const cacheStatus = res.headers.get('x-local-cache-status') const cacheStr = cacheStatus ? ` (cache ${cacheStatus})` : '' - - let urlStr - try { - const { URL } = require('url') - const url = new URL(res.url) - if (url.password) { - url.password = '***' - } - - urlStr = url.toString() - } catch (er) { - urlStr = res.url - } + const urlStr = cleanUrl(res.url) log.http( 'fetch', diff --git a/lib/clean-url.js b/lib/clean-url.js new file mode 100644 index 00000000..ba31dc46 --- /dev/null +++ b/lib/clean-url.js @@ -0,0 +1,24 @@ +const { URL } = require('url') + +const replace = '***' +const tokenRegex = /\bnpm_[a-zA-Z0-9]{36}\b/g +const guidRegex = /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/g + +const cleanUrl = (str) => { + if (typeof str !== 'string' || !str) { + return str + } + + try { + const url = new URL(str) + if (url.password) { + str = str.replace(url.password, replace) + } + } catch {} + + return str + .replace(tokenRegex, `npm_${replace}`) + .replace(guidRegex, `npm_${replace}`) +} + +module.exports = cleanUrl diff --git a/lib/index.js b/lib/index.js index 19c92140..a0fc280a 100644 --- a/lib/index.js +++ b/lib/index.js @@ -239,3 +239,5 @@ function getHeaders (uri, auth, opts) { return headers } + +module.exports.cleanUrl = require('./clean-url.js') diff --git a/test/check-response.js b/test/check-response.js index d005e3ff..93e69182 100644 --- a/test/check-response.js +++ b/test/check-response.js @@ -135,6 +135,34 @@ t.test('redact password from log', t => { t.match(msg, /^GET 200 http:\/\/username:\*\*\*@example.com\/foo\/bar\/baz [0-9]+m?s/) }) +t.test('redact well known token from log', t => { + const headers = new Headers() + const EE = require('events') + headers.get = header => undefined + const res = Object.assign({}, mockFetchRes, { + headers, + status: 200, + url: `http://example.com/foo/bar/baz/npm_${'a'.repeat(36)}`, + body: new EE(), + }) + t.plan(2) + let header, msg + process.on('log', (level, ...args) => { + if (level === 'http') { + ;[header, msg] = args + } + }) + checkResponse({ + method: 'get', + res, + registry, + startTime, + }) + res.body.emit('end') + t.equal(header, 'fetch') + t.match(msg, /^GET 200 http:\/\/example.com\/foo\/bar\/baz\/npm_\*\*\* [0-9]+m?s/) +}) + /* eslint-disable-next-line max-len */ const moreInfoUrl = 'https://github.com/npm/cli/wiki/No-auth-for-URI,-but-auth-present-for-scoped-registry'