High severityNVD Advisory· Published Apr 1, 2021· Updated Aug 3, 2024
ApiKey secret could be revelated on network issue
CVE-2021-21421
Description
node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-etsy-clientnpm | < 0.3.0 | 0.3.0 |
Affected products
1- Range: < 0.3.0
Patches
1b4beb8ef0803Fix #17 do not report secret on error, add github action
8 files changed · +173 −2
.github/workflows/main.yml+66 −0 added@@ -0,0 +1,66 @@ +# node-etsy-client continuous integration + +name: etsy_client_ci + +# Controls when the action will run. +on: + # Triggers the workflow on pull request or push (only for the npmjs branch) + push: + branches: [ npmjs ] + pull_request: + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + env: + ETSY_SHOP: fakefakefakefake + + strategy: + matrix: + # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ + # node-version: [10.x, 12.x, 14.x, 15.x] + node-version: [12.x] + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v1 + with: + node-version: ${{ matrix.node-version }} + + - name: Cache dependencies + uses: actions/cache@v2 + with: + path: | + **/node_modules + key: ${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} + + - name: Install dependencies + # - run: npm ci # need package.json.lock + run: npm install + + - name: Run ci-tests with code coverage + run: npm run ci-test + + - name: Report coverage to the PR + continue-on-error: true + uses: romeovs/lcov-reporter-action@v0.2.16 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + lcov-file: ./coverage/lcov.info + + - name: Publish NpmJS package + if: github.ref == 'refs/heads/npmjs' + run: | + echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_DEPLOY_TOKEN }}" > .npmrc + npm whoami # rely on .npmrc + npm publish \ No newline at end of file
.github/workflows/minor.yml+34 −0 added@@ -0,0 +1,34 @@ +# WIP - node-etsy-client minor from 'main' branch to 'npmjs' branch +name: etsy_client_minor +on: + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + node-version: [12.x] + + steps: + - name: Git checkout + uses: actions/checkout@v2 + with: + ref: 'npmjs' + token: ${{ secrets.GH_ACTIONS_TOKEN }} + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v1 + with: + node-version: ${{ matrix.node-version }} + + - name: Minor + run: | + git config --global user.email 'github-actions[bot]@users.noreply.github.com' + git config --global user.name 'github-actions[bot]' + git fetch --all + git checkout main + npm version minor + git branch -f npmjs + git push origin main npmjs --tags \ No newline at end of file
.github/workflows/patch.yml+34 −0 added@@ -0,0 +1,34 @@ +# WIP - node-etsy-client patch from 'main' branch to 'npmjs' branch +name: etsy_client_patch +on: + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + node-version: [12.x] + + steps: + - name: Git checkout + uses: actions/checkout@v2 + with: + ref: 'npmjs' + token: ${{ secrets.GH_ACTIONS_TOKEN }} + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v1 + with: + node-version: ${{ matrix.node-version }} + + - name: Patch + run: | + git config --global user.email 'github-actions[bot]@users.noreply.github.com' + git config --global user.name 'github-actions[bot]' + git fetch --all + git checkout main + npm version patch + git branch -f npmjs + git push origin main npmjs --tags \ No newline at end of file
package.json+4 −1 modified@@ -5,7 +5,9 @@ "main": "./src/EtsyClient.js", "types": "./src/EtsyClient.d.ts", "scripts": { - "test": "mocha tests/*.test.js" + "test": "mocha tests/*.test.js", + "cover": "nyc --reporter text --reporter cobertura --reporter html --reporter=lcov --lines 66 mocha --exit --unhandled-rejections=strict tests/*.test.js", + "ci-test": "echo linux ci-test&& nyc --reporter text --reporter cobertura --reporter html --reporter=lcov --lines 66 mocha --exit --unhandled-rejections=strict tests/*.test.js --timeout 5000" }, "private": false, "author": "Boly38 <boly380@gmail.com>", @@ -35,6 +37,7 @@ "chai": "^4.2.0", "mocha": "^8.2.1", "node-fetch": "^2.6.1", + "nyc": "^15.1.0", "query-string": "^6.13.7", "winston": "^3.3.3" },
README.md+3 −0 modified@@ -60,6 +60,9 @@ You're not a dev ? just submit an issue (bug, improvements, questions). Or else: git clone https://github.com/creharmony/node-etsy-client.git cd node-etsy-client npm install +# play test without etsy endpoint +npm run test +# play test with etsy endpoint . ./env/initEnv.example.sh npm run test ```
src/EtsyClient.js+19 −1 modified@@ -93,10 +93,28 @@ class EtsyClient { const getQueryString = queryString.stringify(this.getOptions(options)); fetch(`${this.apiUrl}${endpoint}?${getQueryString}`) .then(response => EtsyClient._response(response, resolve, reject)) - .catch(reject); + .catch((fetchError) => { + var secureError = {}; + this.secureErrorAttribute(secureError, fetchError, "message"); + this.secureErrorAttribute(secureError, fetchError, "reason"); + this.secureErrorAttribute(secureError, fetchError, "type"); + this.secureErrorAttribute(secureError, fetchError, "errno"); + this.secureErrorAttribute(secureError, fetchError, "code"); + reject(secureError); + }); }); } + secureErrorAttribute(secureError, sourceError, attribute) { + if (!Object.keys(sourceError).includes(attribute)) { + return; + } + secureError[attribute] = this.secureAttributeValue(sourceError[attribute]); + } + + secureAttributeValue(value) { + return (value === null || value === undefined) ? null : value.replace(new RegExp(this.apiKey,'g'), "**hidden**"); + } getOptions(options) { var merged = options ? options : {};
tests/unauthenticated_client.test.js+13 −0 modified@@ -2,6 +2,8 @@ const assert = require('assert').strict; const expect = require('chai').expect const EtsyClient = require('../src/EtsyClient.js'); +const FAKE_API_KEY = "ultraSecretRightHere"; + if (!process.env.ETSY_API_KEY) { describe("Test Unauthenticated EtsyClient", function() { @@ -10,6 +12,17 @@ if (!process.env.ETSY_API_KEY) { expect(function () { new EtsyClient() } ).to.throw('apiKey is required'); }); + it("should not report api key in error case", async function() { + const client = new EtsyClient({ + apiKey:FAKE_API_KEY, + apiUrl:"https://IAmNotEtsyEndpoint.com" + }); + const shops = await client.findAllShops() + .catch((getShopsError) => { + expect(""+getShopsError).to.not.include(FAKE_API_KEY); + }) + }); + }); } \ No newline at end of file
.travis.yml.disabled+0 −0 renamed
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-xw22-wv29-3299ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21421ghsaADVISORY
- github.com/creharmony/node-etsy-client/commit/b4beb8ef080366c1a87dbf9e163051a446acaa7dghsax_refsource_MISCWEB
- github.com/creharmony/node-etsy-client/security/advisories/GHSA-xw22-wv29-3299ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.