Nimble Publish Command Security Leak

[henryas]

I used nimble publish command to publish my first nimble package recently. Nimble automatically added my github security token into the nimble package list and pushed it to github. It was something like this.

"url": "https://15b1acb3d21ebde45e8ab271e72fb4a75ad40143:[email protected]/henryas/nptr"

Github automatically detected the leak and revoked the token.

It is better for Nimble to ask for the url, than trying to figure things out on its own and expose someone's security credential. This needs fixing.

[Araq]

Strange, Nimble never did that for me... How to reproduce? Just "nimble publish"?

[henryas]

Yup. Just nimble publish, and answered the questions there. I used the built-in terminal in the vscode. You can check the initial commit there: nim-lang/packages#1870 .

[dom96]

How did you get a Git repo with such a URL? Sounds like a pretty bad idea to include a token in the URL, we have SSH keys for a reason.

[henryas]

I don't know how such URL came up. I set up Github like ages ago and I don't remember what I did back then. You can tell that from the format of the token that it was Github's old OAuth token. They don't use that format anymore. My guess is that I set it up to work with Github's OAuth, which I believe is still one of Github's recommended authentication methods. So far, I never have to deal with such URLs. It is transparently done behind the scene.

I was learning about Nim through the "Nim in Action" book, which is an excellent book by the way. I used the nimble publish command. I answered the prompted questions about the name, tags, license, but it never asked about any URL. Then, nimble automatically pushed a commit to the Github. I did not notice about the leak until one of the reviewers asked about it, and suggested some changes. I checked my email and found Github has revoked the token because it was posted online. So somehow nimble manages to dig out such information from my machine.

I think it would be nice if Nimble should explicitly ask for the URL because people may connect to Github through a different means from the way the general public should download the module.

[dom96]

Looking at GitHub's docs, there is a warning not to clone with these URLs which is what I guess you (or another app did): https://docs.github.com/en/github/extending-github/git-automation-with-oauth-tokens#step-2-clone-a-repository

Nimble simply reads your git repo's remote URL, any other app can do the same since this is all stored in plaintext (some might have already done it without you being aware of it!)

We should likely strip the username/password info away from any URL we find in Nimble before publishing, but I feel like the real problem here is that it's possible to store something like this in Git, maybe it's something for Git to warn about/disallow?

[henryas]

@dom96 I love your book. It does wonder in getting people up to speed with Nim. The book got me into Nim. It is really well written. It has a nice balance between brevity and being thorough.

If nimble decides to strip the URL, I should point out that in my case it was using the old format which is https://<token>:[email protected]/<username>/<pkg>. The old format is still supported and other people may still use it. I believe the new format is https://<username>:<token>@github.com/<username>/<pkg>. There could be other ways too.

[henryas]

Ok. Now I know how the URL came about.

When you switch from using SSH to HTTPS, by specifiying git remote set-url origin https://github.com/<username>/<pkg>.git, git automatically append the token into the URL. I tried that and my remote url becomes https://<token>:[email protected]/<username>/<pkg>.git again.

So naturally this problem affects people who use HTTPS.

[henryas]

Never mind what I said earlier. I had the URL set in my gitconfig. I don't remember why I did that.