nodemailer - npm Package Compare versions

Comparing version 6.6.2 to 6.6.3

CHANGELOG.md

 # CHANGELOG
 
+## 6.6.3 2021-07-14
+
+-   Do not show passwords in SMTP transaction logs. All passwords used in logging are replaced by `"/* secret */"`
+
 ## 6.6.1 2021-05-23
@@ -4,0 +8,0 @@

lib/smtp-connection/index.js

@@ -551,2 +551,12 @@ 'use strict';
                             'utf-8'
+                        ).toString('base64'),
+                    // log entry without passwords
+                    'AUTH PLAIN ' +
+                        Buffer.from(
+                            //this._auth.user+'\u0000'+
+                            '\u0000' + // skip authorization identity as it causes problems with some servers
+                                this._auth.credentials.user +
+                                '\u0000' +
+                                '/* secret */',
+                            'utf-8'
                         ).toString('base64')
@@ -949,4 +959,5 @@ );
      * @param {String} str String to be sent to the server
+     * @param {String} logStr Optional string to be used for logging instead of the actual string
      */
-    _sendCommand(str) {
+    _sendCommand(str, logStr) {
         if (this._destroyed) {
@@ -966,3 +977,3 @@ // Connection already closed, can't send any more data
                 },
-                (str || '').toString().replace(/\r?\n$/, '')
+                (logStr || str || '').toString().replace(/\r?\n$/, '')
             );
@@ -1426,8 +1437,7 @@ }
         let base64decoded = Buffer.from(challengeString, 'base64').toString('ascii'),
-            hmac_md5 = crypto.createHmac('md5', this._auth.credentials.pass);
+            hmacMD5 = crypto.createHmac('md5', this._auth.credentials.pass);
 
-        hmac_md5.update(base64decoded);
+        hmacMD5.update(base64decoded);
 
-        let hex_hmac = hmac_md5.digest('hex');
-        let prepended = this._auth.credentials.user + ' ' + hex_hmac;
+        let prepended = this._auth.credentials.user + ' ' + hmacMD5.digest('hex');
 
@@ -1438,3 +1448,7 @@ this._responseActions.push(str => {
 
-        this._sendCommand(Buffer.from(prepended).toString('base64'));
+        this._sendCommand(
+            Buffer.from(prepended).toString('base64'),
+            // hidden hash for logs
+            Buffer.from(this._auth.credentials.user + ' /* secret */').toString('base64')
+        );
     }
@@ -1484,3 +1498,7 @@
 
-        this._sendCommand(Buffer.from(this._auth.credentials.pass + '', 'utf-8').toString('base64'));
+        this._sendCommand(
+            Buffer.from((this._auth.credentials.pass || '').toString(), 'utf-8').toString('base64'),
+            // Hidden pass for logs
+            Buffer.from('/* secret */', 'utf-8').toString('base64')
+        );
     }
@@ -1715,3 +1733,7 @@
             });
-            this._sendCommand('AUTH XOAUTH2 ' + this._auth.oauth2.buildXOAuth2Token(accessToken));
+            this._sendCommand(
+                'AUTH XOAUTH2 ' + this._auth.oauth2.buildXOAuth2Token(accessToken),
+                //  Hidden for logs
+                'AUTH XOAUTH2 ' + this._auth.oauth2.buildXOAuth2Token('/* secret */')
+            );
         });
@@ -1718,0 +1740,0 @@ }

package.json

 {
     "name": "nodemailer",
-    "version": "6.6.2",
+    "version": "6.6.3",
     "description": "Easy as cake e-mail sending from your Node.js applications",
@@ -23,2 +23,4 @@ "main": "lib/nodemailer.js",
     "devDependencies": {
+        "@aws-sdk/client-ses": "3.21.0",
+        "aws-sdk": "2.945.0",
         "bunyan": "1.8.15",
@@ -35,3 +37,3 @@ "chai": "4.3.4",
         "libqp": "1.1.0",
-        "mocha": "9.0.0",
+        "mocha": "9.0.2",
         "nodemailer-ntlm-auth": "1.0.1",
@@ -38,0 +40,0 @@ "proxy": "1.0.2",

No alert changes

Improved metrics

Total package byte prevSize

474313

increased by0.27%

Lines of code

11463

increased by0.19%

Worsened metrics

Dev dependency count

19

increased by11.76%

No dependency changes