- Notifications
You must be signed in to change notification settings - Fork90
Ensure passwords in hosted Git URLs are correctly escaped#58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
isaacs commentedFeb 5, 2020
This sounds reasonable, but definitely needs a test to be accepted. My concern is ensuring that this doesn't cause any problems with how pacote et al make the request for the module. Do you have an example where this currently fails in the CLI, so that we can ensure it is fixing a real problem? If it currentlydoesn't fail in the CLI, then that means it probablywill fail with this change (which might still be reasonable, but means that other changes will be required to integrate the version of hosted-git-info/npm-package-arg that includes this change, making it semver-major). For npm v7, we've been moving towards using the WhatWG-style urls throughout the CLI. I'm assuming that might change the approach here, since escaped auth would be the default? If it turns out to be a semver-major change, we may as well go all the way and use the new parsing style, especially if it's not possible (or just not worth the effort) to pull this in until npm v7 anyway. |
stevenhilder commentedFeb 5, 2020
Test added, along with fix for edge-cases where only usernameor password is provided, not both. Yes, I encountered the problem in the CLI and tracked the error via pacote and npa through to this module. With a |
isaacs commentedFeb 10, 2020
Thanks for looking into that@stevenhilder! It looks like this is reasonable to try to get into the next npm/cli v6 release as a bugfix then. |
darcyclarke left a comment• edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
✅ LGTM; That said,@isaacs are we sure we can pull this in tonpm@6.x as we're currently onhosted-git-info@2.85? I guess the biggest Q there is whether there were serious breaking changes inhosted-git-info@3.0
PR-URL:#58Credit:@stevenhilderClose:#58Reviewed-by:@darcyclarke
What
Hosted Git URLs may be specified in the format
protocol://username:password@domain/path.However, when the username and/or password contain certain punctuation characters (notably
:or@), this library fails to return the credentials with these characters correctly escaped.The result is that npm either fails to connect because the hostname has been parsed incorrectly, or fails to authenticate with the host because the credentials have been parsed incorrectly.Why
The reason for this is that the "Legacy" API of Node.js'
urlmoduledoes not escape these characters in theauthproperty of the parsed URL.Seehttps://nodejs.org/api/url.html#url_percent_encoding_in_urls for details.
How
Node.js' newer, WHATWG-compatible APIdoes escape the
usernameandpasswordproperties of the parsed URL. The fix that I propose in this PR is to continue using the Legacy API to minimize code changes and therefore risk of regression, but to use the WHATWG API to return the parsed username and passwordonly when auth is included in the URL.