Sensitive information exposure through logs in npm cli

@@ -28,6 +28,7 @@
   var npm = require('../lib/npm.js')
   var npmconf = require('../lib/config/core.js')
   var errorHandler = require('../lib/utils/error-handler.js')
+  var replaceInfo = require('../lib/utils/replace-info.js')
 
   var configDefs = npmconf.defs
   var shorthands = configDefs.shorthands
@@ -40,7 +41,8 @@
     process.argv.splice(1, 1, 'npm', '-g')
   }
 
-  log.verbose('cli', process.argv)
+  var args = replaceInfo(process.argv)
+  log.verbose('cli', args)
 
   var conf = nopt(types, shorthands)
   npm.argv = conf.argv.remain

@@ -3,6 +3,7 @@
 const deprCheck = require('./utils/depr-check')
 const path = require('path')
 const log = require('npmlog')
+const pacote = require('pacote')
 const readPackageTree = require('read-package-tree')
 const rimraf = require('rimraf')
 const validate = require('aproba')
@@ -11,15 +12,17 @@ const npm = require('./npm')
 let npmConfig
 const npmlog = require('npmlog')
 const limit = require('call-limit')
-const tempFilename = require('./utils/temp-filename')
-const pacote = require('pacote')
+const tempFilename = require('./utils/temp-filename.js')
+const replaceInfo = require('./utils/replace-info.js')
 const isWindows = require('./utils/is-windows.js')
 
 function andLogAndFinish (spec, tracker, done) {
   validate('SOF|SZF|OOF|OZF', [spec, tracker, done])
   return (er, pkg) => {
     if (er) {
-      log.silly('fetchPackageMetaData', 'error for ' + String(spec), er.message)
+      er.message = replaceInfo(er.message)
+      var spc = replaceInfo(String(spec))
+      log.silly('fetchPackageMetaData', 'error for ' + spc, er.message)
       if (tracker) tracker.finish()
     }
     return done(er, pkg)

@@ -12,6 +12,7 @@ var exitCode = 0
 var rollbacks = npm.rollbacks
 var chain = require('slide').chain
 var errorMessage = require('./error-message.js')
+var replaceInfo = require('./replace-info.js')
 var stopMetrics = require('./metrics.js').stop
 
 const cacheFile = require('./cache-file.js')
@@ -175,14 +176,16 @@ function errorHandler (er) {
   ].forEach(function (k) {
     var v = er[k]
     if (!v) return
+    v = replaceInfo(v)
     log.verbose(k, v)
   })
 
   log.verbose('cwd', process.cwd())
 
   var os = require('os')
+  var args = replaceInfo(process.argv)
   log.verbose('', os.type() + ' ' + os.release())
-  log.verbose('argv', process.argv.map(JSON.stringify).join(' '))
+  log.verbose('argv', args.map(JSON.stringify).join(' '))
   log.verbose('node', process.version)
   log.verbose('npm ', 'v' + npm.version)
 

@@ -3,12 +3,17 @@ var npm = require('../npm.js')
 var util = require('util')
 var nameValidator = require('validate-npm-package-name')
 var npmlog = require('npmlog')
+var replaceInfo = require('./replace-info.js')
 
 module.exports = errorMessage
 
 function errorMessage (er) {
   var short = []
   var detail = []
+
+  er.message = replaceInfo(er.message)
+  er.stack = replaceInfo(er.stack)
+
   switch (er.code) {
     case 'ENOAUDIT':
       short.push(['audit', er.message])

@@ -0,0 +1,22 @@
+const URL = require('url')
+
+// replaces auth info in an array
+//  of arguments or in a strings
+function replaceInfo (arg) {
+  const isArray = Array.isArray(arg)
+  const isString = typeof arg === 'string'
+
+  if (!isArray && !isString) return arg
+
+  const args = isString ? arg.split(' ') : arg
+  const info = args.map(arg => {
+    try {
+      const url = new URL(arg)
+      return url.password === '' ? arg : arg.replace(url.password, '***')
+    } catch (e) { return arg }
+  })
+
+  return isString ? info.join(' ') : info
+}
+
+module.exports = replaceInfo