Bug allowing anyone to log in as any valid GitHub user
Doridian opened this issue · 13 comments
Bug Report
Versions
Version | |
---|---|
Verdaccio | 5.13 |
This plugin | 5.0 |
Node | Whatever Verdaccio 5.13 Docker image ships |
Have htpasswd and this plugin enabled
Observed behavior
Verdaccio lets you login with a GitHub user with any password
npm adduser --registry https://xxxxxx
Enter GitHub username of a user previously used with this plugin, enter ANY password.
You will get issued a token.
Logs show:
[github-oauth-ui] User successfuly authenticated: {
name: 'USERNAME',
groups: [ '$all', '@all', '$authenticated', '@authenticated' ],
real_groups: [ whatever the actual GH user has, like orgs etc ]
}
Expected behavior
Login failure
Steps to reproduce
- Log in with any GitHub user into an instance with this plugin installed
- Run
npm adduser --registry https://xxxxxx
on any machine, with the correct username and any password
Please read the breaking changes before upgrading to a new major version https://github.com/n4bb12/verdaccio-github-oauth-ui/releases/tag/5.0.0
I did not upgrade. I started on this version. I did not use any previous version of this plugin and followed the instructions in the docs folder.
Also, even if I did upgrade, the breaking changes only mention permission issues.
This is NOT a permissions issue at all.
Under no circumstances should this plugin allow you to log in as someone else, who's credentials you do not have, which it does.
@n4bb12 Please, if you think I did something wrong, tell me. But don't just close the issue assuming I upgraded from a previous version.
Here's my whole config, which seems correct from your docs folder:
# path to a directory with all packages
storage: /verdaccio/storage
# path to a directory with plugins to include
plugins: /verdaccio/plugins
web:
# WebUI is enabled as default, if you want disable it, just uncomment this line
#enable: false
title: Verdaccio
auth:
github-oauth-ui:
client-id: REDACTED
client-secret: REDACTED
token: REDACTED
htpasswd:
file: /verdaccio/conf/htpasswd
algorithm: bcrypt
# Maximum amount of users allowed to register, defaults to "+infinity".
# You can set this to -1 to disable registration.
max_users: -1
packages:
'@*/*':
access: github/org/xxx xxx
publish: github/org/xxx xxx
'**':
access: github/org/xxx xxx
publish: github/org/xxx xxx
# To use `npm audit` uncomment the following section
middlewares:
github-oauth-ui:
enabled: true
audit:
enabled: true
security:
api:
jwt:
sign:
expiresIn: 90d
web:
sign:
expiresIn: 7d
# log settings
log: { type: stdout, format: pretty, level: http }
Maybe I misunderstood.
Anybody with a GitHub account can log in to any registry as themselves using v5+ of the plugin. This is intended. This is not what you're referring to?
How does npm adduser
play into this? This is not a command that works with GitHub, is it?
Okay, so, basically what I am saying is.
I (doridian) log into my Verdaccio UI using my GitHub account. I get the expected permissions, everything is good so far.
Now, say, an evil user finds my Verdaccio instance.
That evil user now runs
npm adduser --registry https://myregistry
They then enter my username (doridian) and any password.
Now they are logged in as me, with all my permissions.
This should not permit login at all, considering npm adduser
is for plain-password login only and no password should be valid.
But it seems just ANY password gets accepted.
Okay, thanks for reporting. Trying to reproduce and better understand.
Now they are logged in as me, with all my permissions.
How do you verify that that is the case?
Now they are logged in as me, with all my permissions.
How do you verify that that is the case?
I ran npm install
on several packages (as you can see, my configuration only allows members of a specific org to download all packages). I verified those packages cannot be installed/viewed otherwise (by users outside the org).
Also, in the log after npm adduser
, I recevied the following log line (as another data point):
[github-oauth-ui] User successfuly authenticated: {
name: 'doridian',
groups: [ '$all', '@all', '$authenticated', '@authenticated' ],
real_groups: [ 'github/org/xxx' ]
}
(The real_groups
containing my org)
To note: This only works after the "real" user has logged in to Verdaccio at least once.
Should be fixed in 5.0.1 by adding this check.
Can you confirm the two plugins work in tandem as you would expect?
Confirmed it now rejects GitHub users correctly in npm adduser
.
Note that you can can still npm adduser
a GitHub username if htpasswd registration is enabled. The authentication however then runs through htpasswd and the resulting user does not include GitHub groups. I think this is the intended behavior of using multiple auth plugins in tandem.
Thanks again for reporting and insisting 😀