eeymoo/nvm
1
0
Fork 0
mirror of https://github.com/nvm-sh/nvm.git synced 2026-06-05 13:57:08 +08:00
Code Issues Actions 28 Packages Projects Releases Wiki Activity

[Fix] nvm_download: send a well-formed Authorization header on the wget path

Browse Source 
The wget path passed `NVM_AUTH_HEADER` as the raw header line
(e.g. `--header "Bearer secret-token"`),
omitting the `Authorization:` header name that the curl path includes.
Per the documented usage
(`NVM_AUTH_HEADER="Bearer secret-token"`) the value is the credential,
so wget was sending a malformed header.
Prefix it with `Authorization: ` to match the curl path.
This commit is contained in:
Jordan Harband
2026-06-02 17:40:50 -07:00
parent 84079dbff3
commit d264b796a3
2 changed files with 44 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nvm.sh
View File

@@ -151,7 +151,7 @@ nvm_download() {
if [ -n "${NVM_AUTH_HEADER:-}" ]; then
sanitized_header=$(nvm_sanitize_auth_header "${NVM_AUTH_HEADER}")
ARGS="${ARGS} --header \"${sanitized_header}\""
ARGS="${ARGS} --header \"Authorization: ${sanitized_header}\""
fi
# shellcheck disable=SC2086
eval wget $ARGS

43
test/fast/Unit tests/nvm_download wget Authorization header Executable file
View File

@@ -0,0 +1,43 @@
#!/bin/sh
OLDPATH="$PATH"
WORK="$PWD/nvm_download-wgetauth-work.$$"
TEST_BIN="$WORK/bin"
ARGV_LOG="$WORK/argv.log"
cleanup() {
unset -f die cleanup nvm_has
rm -rf "$WORK"
export PATH="$OLDPATH"
}
die () { echo "$@" ; cleanup ; exit 1; }
\. ../../../nvm.sh
OLDPATH="$PATH"
mkdir -p "$TEST_BIN"
# fake wget: record each received argument verbatim, then succeed
{
echo '#!/bin/sh'
echo ': > "$ARGV_LOG"'
echo 'for a in "$@"; do printf "%s\n" "$a" >> "$ARGV_LOG"; done'
echo 'exit 0'
} > "$TEST_BIN/wget"
chmod +x "$TEST_BIN/wget"
export ARGV_LOG
export PATH="$TEST_BIN:$OLDPATH"
# force the wget path while keeping system tools (sed) available for sanitization
nvm_has() { [ "$1" != curl ] && command -v "$1" >/dev/null 2>&1; }
# given an Authorization credential in NVM_AUTH_HEADER
# when nvm_download uses the wget path
NVM_AUTH_HEADER='Bearer test-token' nvm_download "https://nodejs.org/dist/x" -o - || die 'nvm_download (wget) returned nonzero'
# then wget receives a well-formed Authorization header (with the header name, like the curl path)
grep -Fxqe '--header' "$ARGV_LOG" || die "wget did not receive --header; got: $(cat "$ARGV_LOG")"
grep -Fxq 'Authorization: Bearer test-token' "$ARGV_LOG" || die "wget did not receive a well-formed Authorization header; got: $(cat "$ARGV_LOG")"
cleanup
echo "nvm_download wget Authorization header: passed"