Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Potential security threat detected in build errors in a fresh create-react-app install (script accessing "/initrd.img", "/vmlinuz" and others)

After I have created a new app with create-react-app or Razzle, error messages appear at build time which are quite concerning, security wise:

[Error: ENOENT: no such file or directory, stat '/initrd.img'] {
  errno: -2,
  code: 'ENOENT',
  syscall: 'stat',
  path: '/initrd.img'
}

Sometimes, a few other messages appear, with "/vmlinuz" "/initrd.img.old", "/vmlinuz.old" and ".steampath" instead.

Theses messages appear any time there's a build error (any build error that I generate).

This is basically the same problem as described in vue-CLI outputting very concerning error (security question) (but I was told to ask a new question). There were testimonies of three people having the same error messages in that thread.

I don't think there would be any valid reason for a React build script to stat the Linux kernel and a Steam directory, so there might be a malicious package at play here.

This only happens with npm, not yarn. (If your app has been created by CRA with yarn, you should do rm -rf node_modules && rm -rf yarn.lock && npm install);

The most minimal setup I could achieve while trying to isolate the culprits was:

  • creating a brand new app with create-react-app with npx create-react-app app1
  • and then generating an arbitrary build error in index.js, adding something like: import "nonexistent";

When I do that, I see the stat '/initrd.img'error mentioned above.

I'd like to know if you don't see the errors after executing the same exact steps. That would probably mean that it doesn't come from the packages installed but from elsewhere in my system.

It cannot come from my Node.js setup though, because I deleted my $HOME/.nvm, $HOME/.npm $HOME/node_modules, $HOME/.yarn and $HOME/.config/yarn before redoing the steps below.

There aren't many similar testimonials about this on the web, apparently. A bit more with "/.steampath" though.

I reported the issue to [email protected]. They haven't replied yet.

If there is indeed a malicious script in the dependency tree of react-create-app (and Razzle), it should be investigated urgently.

Environment:

  • Node 14.14 installed with nvm 0.36.0
  • npm 6.14.8
  • create-react-app 3.4.1
  • Kubuntu 20.04

EDIT: I've also posted an issue at https://github.com/facebook/create-react-app/issues/9855. I thought this was serious and urgent enough that CRA maintainers should be notified now.

like image 350
Vianney Stroebel Avatar asked Oct 22 '20 13:10

Vianney Stroebel


2 Answers

I got the same error and struggled with it for 2 days. Everything was running well on my Mac but as soon as I cloned the GitHub repository and tried to run my react app on the Linux system as well as AWS-Amplify and it showed me this same error:

[Error: ENOENT: no such file or directory, stat '/initrd.img'].

But after checking the build error logs I found that it was the problem with an import from react-bootstrap. The problem was 'the case' of the component I was importing. In my case I was importing bootstrap Container and used container instead of Container. I simply corrected that and everything was resolved.

In my case: WRONG: import Container from 'react-bootstrap/container' RIGHT: import Container from 'react-bootstrap/Container'.


My Tip: Trivial mistakes like this can also give you this error. Check for incorrect imports and see the documentation for the libraries to check the cases.

In case your application is small and you have not gone too far with the development, then you can create a new react application and copy the component files one by one and run them to see which component is actually creating the problem. This is not the best idea but it worked for me the first time I got this error.

PS: Thank you for reading. This is my first answer on Stack Overflow. YAY!

like image 179
Discipula Avatar answered Oct 01 '22 11:10

Discipula


In my case the message appeared when I installed new @mui/material ui lib without @emotion/react @emotion/styled complement

The missing library name was written in the error message in the console, but I had to catch it with PrtSc cause the message mentioned above replaces it almost immediately.

like image 20
paleika Avatar answered Oct 01 '22 11:10

paleika