On March 7, 2017, this issue was addressed in NPM 1.5.7 and later versions. You can now type double quotes into a user script and it will be interpreted as a literal value rather than as a keyword. The double quotes are an indication to the Node.js interpreter that what follows is a string and not a keyword. The double quotes are not a security measure and cannot be used to bypass authorization; they are a convenience that makes it easier to insert strings into a script.
If you use the double quote string "{{foo}}" to inject a literal value into a NPM user script, it will be interpreted as a keyword.
NPM Authorization using Authorization Servers
NPM user scripts can be authorized by using the Authorization Servers. The Authorization Servers are specific to your organization and are not accessible to others.
The Authorization Server is a module that can be included in any NPM package that you would like authorized users to use. You must provide a set of credentials, which will be stored on the local machine (e.g., ~/.npmrc) and used by any scripts requiring authentication.
Confirming that your package has been updated and that the fix was applied
If you have installed a package from an NPM user script, use "npm -v" to check if it has been updated. You can also check the package's CHANGELOG to see if a fix was applied.
How to detect this vulnerability in NPM user scripts?
To detect this vulnerability in NPM user scripts, simply use the following code:
if (process.argv.indexOf('--'+user) > 0){
The double quotes are an indication to the Node.js interpreter that what follows is a string and not a keyword. The double quotes are not a security measure and cannot be used to bypass authorization; they are a convenience that makes it easier to insert strings into a script.
Timeline
Published on: 02/14/2022 16:15:00 UTC
Last modified on: 02/23/2022 19:07:00 UTC