fixup! fix(config): protect proxy if it contains basic auth

npm · May 14, 2024 · 709cbea · 709cbea
1 parent 305241e
commit 709cbea
Showing 1 changed file with 15 additions and 25 deletions.
diff --git a/lib/commands/config.js b/lib/commands/config.js
@@ -39,13 +39,6 @@ const protected = [
   'username',
 ]
 
-// These values might contain url basic auth so we only redact them
-// if necessary
-const redacted = [
-  'proxy',
-  'registry',
-]
-
 // take an array of `[key, value, k2=v2, k3, v3, ...]` and turn into
 // { key: value, k2: v2, k3: v3 }
 const keyValues = args => {
@@ -61,39 +54,36 @@ const keyValues = args => {
   return kv
 }
 
-const publicVar = (k, v) => {
+const isProtected = (k) => {
   // _password
   if (k.startsWith('_')) {
-    return false
+    return true
   }
   if (protected.includes(k)) {
-    return false
+    return true
   }
   // //localhost:8080/:_password
   if (k.startsWith('//')) {
     if (k.includes(':_')) {
-      return false
+      return true
     }
     // //registry:_authToken or //registry:authToken
     for (const p of protected) {
       if (k.endsWith(`:${p}`) || k.endsWith(`:_${p}`)) {
-        return false
+        return true
       }
     }
   }
-  // Redacted fields are public unless they contain redacted info
-  if (redacted.includes(k)) {
-    return redact(v) === v
-  }
-  return true
+  return false
 }
 
-const displayVar = (k, v) => {
-  const value = publicVar(k, v) || redacted.includes(k)
-    ? JSON.stringify(redact(v))
-    : '(protected)'
-  return `${k} = ${value}`
-}
+// Redacted fields are public unless they contain redacted info
+const isRedacted = (v) => redact(v) !== v
+
+const isPrivate = (k, v) => isProtected(k) || isRedacted(v)
+
+const displayVar = (k, v) =>
+  `${k} = ${isProtected(k, v) ? '(protected)' : JSON.stringify(redact(v))}`
 
 class Config extends BaseCommand {
   static description = 'Manage the npm configuration files'
@@ -226,7 +216,7 @@ class Config extends BaseCommand {
     const out = []
     for (const key of keys) {
       const val = this.npm.config.get(key)
-      if (!publicVar(key, val)) {
+      if (isPrivate(key, val)) {
         throw new Error(`The ${key} option is protected, and can not be retrieved in this way`)
       }
 
@@ -409,7 +399,7 @@ ${defData}
     const publicConf = {}
     for (const key in this.npm.config.list[0]) {
       const value = this.npm.config.get(key)
-      if (!publicVar(key, value)) {
+      if (isPrivate(key, value)) {
         continue
       }