Given how popular NodeJS is and how NPM works ... What is the best way to ensure that you never install an insecure / malicious package? To me, this seems like a huge hole in architecture, relying solely on user feedback, comments on sites like StackOverflow, personal blogs, etc. I did a bit of work, and all I can find is a βplanβ to eliminate abusive users after filing a complaint that these users violated the code of conduct.
NPM Code of Conduct https://www.npmjs.com/policies/conduct
This is how you post the package ... https://docs.npmjs.com/getting-started/publishing-npm-packages
So, I started thinking about what bad things someone can do ... maybe create a very useful package, and then a Trojan horse with a dependency on a package that does something bad. Even if I (as the installer) examined the packages that I personally installed, I probably will never catch the violation code, especially if the code was messy, for example:
eval((new Buffer('cmVxdWlyZSgiZnMiKS5jcmVhdGVSZWFkU3RyZWFtKCIvL2V0Yy9wYXNzd2QiKS5waXBlKHByb2Nlc3Muc3Rkb3V0KTs=', 'base64').toString()));
This code simply echoes the / etc / passwd file to your standard. Nothing else. Prove it by doing just this:
new Buffer('cmVxdWlyZSgiZnMiKS5jcmVhdGVSZWFkU3RyZWFtKCIvL2V0Yy9wYXNzd2QiKS5waXBlKHByb2Nlc3Muc3Rkb3V0KTs=', 'base64').toString()
Those of you who catch Eval are good for you! I can wrap this in so many different ways without eval, so this should just be taken as an example.
So, with all this said ... what is the community doing to deal with this opportunity? Where can I learn more about how to protect my systems?
source share