n4bb12/verdaccio-github-oauth-ui

Bug allowing anyone to log in as any valid GitHub user

Doridian opened this issue · 13 comments

Bug Report

Versions

Version
Verdaccio 5.13
This plugin 5.0
Node Whatever Verdaccio 5.13 Docker image ships

Have htpasswd and this plugin enabled

Observed behavior

Verdaccio lets you login with a GitHub user with any password
npm adduser --registry https://xxxxxx
Enter GitHub username of a user previously used with this plugin, enter ANY password.
You will get issued a token.

Logs show:

[github-oauth-ui] User successfuly authenticated: {
  name: 'USERNAME',
  groups: [ '$all', '@all', '$authenticated', '@authenticated' ],
  real_groups: [ whatever the actual GH user has, like orgs etc ]
}

Expected behavior

Login failure

Steps to reproduce

  • Log in with any GitHub user into an instance with this plugin installed
  • Run npm adduser --registry https://xxxxxx on any machine, with the correct username and any password

Please read the breaking changes before upgrading to a new major version https://github.com/n4bb12/verdaccio-github-oauth-ui/releases/tag/5.0.0

I did not upgrade. I started on this version. I did not use any previous version of this plugin and followed the instructions in the docs folder.

Also, even if I did upgrade, the breaking changes only mention permission issues.
This is NOT a permissions issue at all.
Under no circumstances should this plugin allow you to log in as someone else, who's credentials you do not have, which it does.

@n4bb12 Please, if you think I did something wrong, tell me. But don't just close the issue assuming I upgraded from a previous version.

Here's my whole config, which seems correct from your docs folder:

# path to a directory with all packages
storage: /verdaccio/storage
# path to a directory with plugins to include
plugins: /verdaccio/plugins

web:
  # WebUI is enabled as default, if you want disable it, just uncomment this line
  #enable: false
  title: Verdaccio

auth:
  github-oauth-ui:
    client-id: REDACTED
    client-secret: REDACTED
    token: REDACTED
  htpasswd:
    file: /verdaccio/conf/htpasswd
    algorithm: bcrypt
    # Maximum amount of users allowed to register, defaults to "+infinity".
    # You can set this to -1 to disable registration.
    max_users: -1

packages:
  '@*/*':
    access: github/org/xxx xxx
    publish: github/org/xxx xxx

  '**':
    access: github/org/xxx xxx
    publish: github/org/xxx xxx

# To use `npm audit` uncomment the following section
middlewares:
  github-oauth-ui:
    enabled: true
  audit:
    enabled: true

security:
  api:
    jwt:
      sign:
        expiresIn: 90d
  web:
    sign:
      expiresIn: 7d

# log settings
log: { type: stdout, format: pretty, level: http }

Maybe I misunderstood.

Anybody with a GitHub account can log in to any registry as themselves using v5+ of the plugin. This is intended. This is not what you're referring to?

How does npm adduser play into this? This is not a command that works with GitHub, is it?

Okay, so, basically what I am saying is.

I (doridian) log into my Verdaccio UI using my GitHub account. I get the expected permissions, everything is good so far.

Now, say, an evil user finds my Verdaccio instance.
That evil user now runs
npm adduser --registry https://myregistry
They then enter my username (doridian) and any password.
Now they are logged in as me, with all my permissions.

This should not permit login at all, considering npm adduser is for plain-password login only and no password should be valid.
But it seems just ANY password gets accepted.

Okay, thanks for reporting. Trying to reproduce and better understand.

Now they are logged in as me, with all my permissions.

How do you verify that that is the case?

Now they are logged in as me, with all my permissions.

How do you verify that that is the case?

I ran npm install on several packages (as you can see, my configuration only allows members of a specific org to download all packages). I verified those packages cannot be installed/viewed otherwise (by users outside the org).

Also, in the log after npm adduser, I recevied the following log line (as another data point):

[github-oauth-ui] User successfuly authenticated: {
  name: 'doridian',
  groups: [ '$all', '@all', '$authenticated', '@authenticated' ],
  real_groups: [ 'github/org/xxx' ]
}

(The real_groups containing my org)

To note: This only works after the "real" user has logged in to Verdaccio at least once.

Should be fixed in 5.0.1 by adding this check.
Can you confirm the two plugins work in tandem as you would expect?

Confirmed it now rejects GitHub users correctly in npm adduser.

Note that you can can still npm adduser a GitHub username if htpasswd registration is enabled. The authentication however then runs through htpasswd and the resulting user does not include GitHub groups. I think this is the intended behavior of using multiple auth plugins in tandem.

Thanks again for reporting and insisting 😀