search

bufferoverflow / verdaccio-gitlab

private npm registry (Verdaccio) using gitlab-ce as authentication and authorization provider
MIT License
160 stars 55 forks source link

Empty auth leads to traceback #72

Open jbergstroem opened 5 years ago

jbergstroem commented 5 years ago

In gitlab CI we currently use _auth to pass credentials (username/auth token as base64). While some of the CI users were testing this they forgot to pass credentials which ultimately led to a http 500. This led to some confusion since the expected reply should likely be 400 not authenticated. Steps to reproduce:

$ export NPM_USERNAME="" && export NPM_TOKEN=""
$ npm config set @foo:registry=https://mysite.com/npm
$ export AUTH=$(echo "$NPM_USERNAME:$NPM_TOKEN" | base64)
$ npm config set //mysite.com/npm/:_auth=$AUTH
$ npm install --no-audit
info <-- 10.0.1.5 requested 'GET /@foo/bar/-/bar-1.0.0.tgz'
 error--- unexpected error: `token` (private-token) or `oauth_token` is mandatory
Error: `token` (private-token) or `oauth_token` is mandatory
    at new BaseModel (/opt/verdaccio-gitlab/node_modules/gitlab/dist/latest/infrastructure/BaseService.js:33:13)
    at new Groups (/opt/verdaccio-gitlab/node_modules/gitlab/dist/latest/services/Groups.js:10:1)
    at Bundle.Object.entries.forEach (/opt/verdaccio-gitlab/node_modules/gitlab/dist/latest/infrastructure/Bundler.js:13:22)
    at Array.forEach (<anonymous>)
    at new Bundle (/opt/verdaccio-gitlab/node_modules/gitlab/dist/latest/infrastructure/Bundler.js:12:32)
    at VerdaccioGitLab.authenticate (/opt/verdaccio-gitlab/build/gitlab.js:82:23)
    at next (/opt/verdaccio/build/lib/auth.js:94:14)
    at Auth.authenticate (/opt/verdaccio/build/lib/auth.js:122:7)
    at Auth._handleAESMiddleware (/opt/verdaccio/build/lib/auth.js:299:12)
    at /opt/verdaccio/build/lib/auth.js:258:14
    at Layer.handle [as handle_request] (/opt/verdaccio/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/opt/verdaccio/node_modules/express/lib/router/index.js:317:13)
    at /opt/verdaccio/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/opt/verdaccio/node_modules/express/lib/router/index.js:335:12)
    at next (/opt/verdaccio/node_modules/express/lib/router/index.js:275:10)
    at Function.handle (/opt/verdaccio/node_modules/express/lib/router/index.js:174:3)
    at router (/opt/verdaccio/node_modules/express/lib/router/index.js:47:12)
    at Layer.handle [as handle_request] (/opt/verdaccio/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/opt/verdaccio/node_modules/express/lib/router/index.js:317:13)
    at /opt/verdaccio/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/opt/verdaccio/node_modules/express/lib/router/index.js:335:12)
    at next (/opt/verdaccio/node_modules/express/lib/router/index.js:275:10)
dlouzan commented 5 years ago

I'll take a deeper look tomorrow, but I guess we just need to do some defensive programming and properly check parameters :-)