Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

NodeJS & NPM: Package Security

Tags:

javascript

security

node.js

npm

Given how popular NodeJS is, and how NPM works... what is the best way to ensure you never install an insecure / malware package? To me this seems to be a huge gaping hole in the architecture, relying solely on user reviews, comments on sites like StackOverflow, personal blogs, etc. I've done a little searching and all I can seem to find is a "plan" for removing offending users once a complaint is filed that said users broke the code of conduct.

NPM Code of Conduct https://www.npmjs.com/policies/conduct

Here's how you publish a package... https://docs.npmjs.com/getting-started/publishing-npm-packages

So I started thinking about what kind of bad things someone could do... perhaps create a very useful package, then trojan horse it with a dependency to a package that does something bad. Even if I (as the installer) reviewed the packages I personally install, I probably would never catch the offending code, especially if the code was obfuscated, like this:

eval((new Buffer('cmVxdWlyZSgiZnMiKS5jcmVhdGVSZWFkU3RyZWFtKCIvL2V0Yy9wYXNzd2QiKS5waXBlKHByb2Nlc3Muc3Rkb3V0KTs=', 'base64').toString()));

This code simply echoes the /etc/passwd file to your standard out. Nothing more. Prove it by running just this:

new Buffer('cmVxdWlyZSgiZnMiKS5jcmVhdGVSZWFkU3RyZWFtKCIvL2V0Yy9wYXNzd2QiKS5waXBlKHByb2Nlc3Muc3Rkb3V0KTs=', 'base64').toString()

Those of you who catch the eval, good for you! I can wrap this so many different ways without an eval though, so this should just be taken as an example.

So, with all of that said... what is the community doing to deal with this eventuality? Where can I find more on how to keep my systems secure?

like image 768
PRS Avatar asked Aug 18 '16 01:08

PRS

1 Answers

One of possible solutions to make sure that packages you install from npm are secure is to use nsp: command line utility provided by The Node Security (nodesecurity.io) team.

$ npm install -g nsp

Then, in the directory of your project (where package.json is located):

$ nsp check

Will produce a report with possible vulnerabilities, here is the example:

enter image description here

like image 122
Andrei Karpushonak Avatar answered Oct 15 '22 09:10

Andrei Karpushonak
Sign in to Comment

Related questions

Access array of objects to display in React Native Text component
Using marble testing rxjs5 method inside another project
How to make HTML5 color picker to return color name instead of color code?
Griddle Subgrids Collapse on Render
Code Challenge: Create a class Foo that tracks the number of total object instances
d3 chart displayed outside bootstrap div
jQuery: css margin based on the amount of elements in container?
Webpack - Using Script Loader in webpack.config.json
Add custom Directive to existing Input that already has angular directives [ng-model/ng-required]
JS - surroundContents only retains highlight on text about 20% of the highlight attempts
how to force automatically refresh ui-grid after adding row
Binding to arbitrarily deep properties on an object based on rules
Confused by how many ways there are to set NODE_ENV
When looping through values of a JS array, and I remove value, do I need to use while instead of for?
How can I read files from directory and send as JSON to client?
Is generating and concatenating 3 Math.random() values more random than 1 Math.random() value?
AJAX run onchange event before the page load
Is it possible to know if an input type = datetime-local is halfway filled?
Convert JSON Object array into associative array
Is there any reason to Object.freeze a function?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!