How to prevent token leaking?

rumax · September 25, 2018, 8:39am

Following the https://circleci.com/blog/publishing-npm-packages-using-circleci-2-0/ manual, it’s possible to define $npm_TOKEN which is used to publish to NPM.

The job that does it uses:

- run:
          name: Authenticate with registry
          command: echo "//registry.npmjs.org/:_authToken=$npm_TOKEN" > ~/repo/.npmrc

But there is a possibility to add a new job, with the following content:

- run:
          name: Authenticate with registry
          command: cat  ~/repo/.npmrc

which will output the content including secrete token. And CI doesn’t try to handle it (let’s say replace the token with asterisk symbols). Moreover any unregistered user can see this log.

What is the proper way to prevent it?

halfer · September 25, 2018, 10:00am

rumax · September 25, 2018, 1:39pm

The issues itself is that the article doesn’t mention this issue, therefore there could be different way to solve it, like:

At least mention the issue in the article
Do a proper fix. For, example, the first thing that I’m thinking about is to:
Define which job can have access to the variable
Disable any output from this job, except the status
Only owner can see the output from the job

Example:

- run:
          name: Publish package
          command: npm publish
          systemVariables: npm_TOKEN
          logsEnabled: false

And duplicate the settings in circleci.com settings

In this case it doesn’t matter of simple echo is used or more complicated scenario, like echo base64(secret) or echo rot13(secret).