Skip to content

Commit db62910

Browse files
wraithgarwraithgar
authored
fix(config): be more aggressive about hiding protected values (#7504)
Err on the side of not displaying things even if they're not valid config
1 parent bdd2aae commit db62910

File tree

3 files changed

+214
-169
lines changed

3 files changed

+214
-169
lines changed

lib/commands/config.js

Lines changed: 34 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,15 +9,33 @@ const { log, output } = require('proc-log')
99
const BaseCommand = require('../base-cmd.js')
1010

1111
// These are the configs that we can nerf-dart. Not all of them currently even
12-
// *have* config definitions so we have to explicitly validate them here
12+
// *have* config definitions so we have to explicitly validate them here.
13+
// This is used to validate during "npm config set"
1314
const nerfDarts = [
1415
'_auth',
1516
'_authToken',
16-
'username',
1717
'_password',
18+
'certfile',
1819
'email',
20+
'keyfile',
21+
'username',
22+
]
23+
// These are the config values to swap with "protected". It does not catch
24+
// every single sensitive thing a user may put in the npmrc file but it gets
25+
// the common ones. This is distinct from nerfDarts because that is used to
26+
// validate valid configs during "npm config set", and folks may have old
27+
// invalid entries lying around in a config file that we still want to protect
28+
// when running "npm config list"
29+
// This is a more general list of values to consider protected. You can not
30+
// "npm config get" them, and they will not display during "npm config list"
31+
const protected = [
32+
'auth',
33+
'authToken',
1934
'certfile',
35+
'email',
2036
'keyfile',
37+
'password',
38+
'username',
2139
]
2240

2341
// take an array of `[key, value, k2=v2, k3, v3, ...]` and turn into
@@ -40,10 +58,21 @@ const publicVar = k => {
4058
if (k.startsWith('_')) {
4159
return false
4260
}
43-
// //localhost:8080/:_password
44-
if (k.startsWith('//') && k.includes(':_')) {
61+
if (protected.includes(k)) {
4562
return false
4663
}
64+
// //localhost:8080/:_password
65+
if (k.startsWith('//')) {
66+
if (k.includes(':_')) {
67+
return false
68+
}
69+
// //registry:_authToken or //registry:authToken
70+
for (const p of protected) {
71+
if (k.endsWith(`:${p}`) || k.endsWith(`:_${p}`)) {
72+
return false
73+
}
74+
}
75+
}
4776
return true
4877
}
4978

@@ -320,7 +349,7 @@ ${defData}
320349
const src = this.npm.config.find(k)
321350
const overridden = src !== where
322351
msg.push((overridden ? '; ' : '') +
323-
`${k} = ${v} ${overridden ? `; overridden by ${src}` : ''}`)
352+
`${k} = ${v}${overridden ? ` ; overridden by ${src}` : ''}`)
324353
}
325354
msg.push('')
326355
}

0 commit comments

Comments
 (0)