rumax
September 25, 2018, 8:39am
1
Following the https://circleci.com/blog/publishing-npm-packages-using-circleci-2-0/ manual, it’s possible to define $npm_TOKEN
which is used to publish to NPM.
The job that does it uses:
- run:
name: Authenticate with registry
command: echo "//registry.npmjs.org/:_authToken=$npm_TOKEN" > ~/repo/.npmrc
But there is a possibility to add a new job, with the following content:
- run:
name: Authenticate with registry
command: cat ~/repo/.npmrc
which will output the content including secrete token. And CI doesn’t try to handle it (let’s say replace the token with asterisk symbols). Moreover any unregistered user can see this log.
What is the proper way to prevent it?
halfer
September 25, 2018, 10:00am
2
rumax
September 25, 2018, 1:39pm
3
The issues itself is that the article doesn’t mention this issue, therefore there could be different way to solve it, like:
At least mention the issue in the article
Do a proper fix. For, example, the first thing that I’m thinking about is to:
Define which job can have access to the variable
Disable any output from this job, except the status
Only owner can see the output from the job
Example:
- run:
name: Publish package
command: npm publish
systemVariables: npm_TOKEN
logsEnabled: false
And duplicate the settings in circleci.com
settings
In this case it doesn’t matter of simple echo is used or more complicated scenario, like echo base64(secret) or echo rot13(secret)
.
1 Like