-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Security of node_modules and package.json Resolution #43192
Comments
@nodejs/modules |
Node.js already has a policy manifest system for clearly restricting and defining what code may be loaded, and even contextualizing which parent scopes permit that loading. Are there any specific security concerns here which policy does not currently address? Better education and tooling workflows around policies is definitely something to consider here from a security perspective. |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as resolved.
This comment was marked as resolved.
@guybedford Thanks for pointing out the policy manifest system. I wasn't aware of it, and it looks interesting. My (very early) impression is that it is not a suitable replacement for the following reasons:
|
I'm glad to see someone taking interest in these topics. We should discuss the needs prior to solutions hence the leaning towards seeing what needs policies currently do fill and thanks for a list of concerns about them.
Per the proposal:
How does this deal with things in
Likely this would need to default to being used unless we could make a big break to the ecosystem. Per alternatives:
thanks for bringing up discussion on this!
Yup, even this proposal changes various workflows to no longer be supported and that needs more discussion.
Home directory is problematic because not all programs have the same acceptable privileges. Any configuration needs to be localized to an application.
Additional configuration isn't a fatal aspect in security. It would be good to know if the amount of configuration is unacceptable / why / how to mitigate.
This likely is incompatible with peerDependencies and some hoisting various package managers do. Take away:
|
Thank you for the thoughtful response. I'd like to see the node ecosystem as a whole improve and have confidence that my projects, specifically, aren't accidentally vulnerable.
Can you expand on this -- both the difference between "don't search" and "don't allow" as well as how
Thanks. My impression from the docs was that policies only applied to
Certainly! At the same time, I find the current defaults surprisingly insecure. Requiring opt-in places the burden on each such application or library, but more-secure defaults could fix most of that in one motion.
I initially read this as asking about nested structures within dependencies, but it could also apply to structures within a top level project. I had envisioned links solving this. Package managers might possibly be able to automatically adapt nested structures within dependencies. Requiring projects to do the same seems like too much. Such links would be scattered throughout a project. They would be at paths not touched by a package manager, clutter the project, and likely break other tools. Also, projects can simultaneously be standalone entities and dependencies of larger projects.
Yes, and the proposal would break more than I see package managers being able to automatically fix.
For things like checking file hashes or sophisticated sandboxing, I feel that requiring additional configuration is reasonable. For something as simple as
Things I'd like to see in a proposed solution:
|
The following policy.json file roughly sets a ceiling for dependencies. "./" is relative to the location of the policy file. A file within "./" may request any dependency. The normal search is performed, but the integrity check for files found within "./" succeeds and the integrity check for files found outside of "./" fails.
It is possible to pass |
@guybedford @bmeck policies protect from the outside -- whatever calls There's a suggestion of referencing a policy from |
There is currently no effort to fund that policy work directly since the Node.js project is relying on volunteer work for now. If you would like to work on such a feature; I think such a feature wouldn't be too hard to implement but likely needs the design refined further by testing in the wild. |
@bmeck When you say "link", is that a technical term here distinct from when the code runs? I suspect using such an API with ESM would require indirection. For policy available synchronously (such as that embedded directly in source), a single import at the top of the program-entry-point would run before other imports. For policy only available asynchronously, dynamic |
Yes, all imports have their source text loaded and exports/imports bound prior to any evaluation in the graph. So even if there is a top level import at the entry point to a program all dependencies of the program are already loaded in the default ESM workflow. |
I'd note that this linking is required by ESM spec, not Node.js itself and is required for various validations around early errors, circular dependencies, and now import assertions. |
@bmeck thanks. I see what you mean about linking.
Returning to this idea, maybe whenever we walk toward the root looking for a
Thoughts on this approach? I don't mind sharing the code, but it's not cleaned up for a pull-request yet. |
Stop searching for package.json or node_modules when a node_ceiling file is found. Refs: nodejs#43192 Refs: nodejs#43368
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document. |
Closing. I'd still like to see this. Maybe a proposal for ambient configuration will gain traction and make this easier. |
That didn't mark it closed. |
What is the problem this feature will solve?
It is easy to accidentally allow another user to influence what code node loads and executes. Details can be found at HackerOne reports 1564437 (CommonJS module loading), 1564444 (ECMAScript module resolution), and 1564445 (package.json). While these behaviors are documented, the security implications are easy to overlook.
Insecure patterns around these features are in common use. For example, any combination of the following two circumstances is likely to be insecure:
What is the feature you are proposing to solve the problem?
I suggest a multi-phase approach which can be modified by further discussion and feedback. Because there are security implications, I'd like improvements to be made as soon as possible. Because of both security and compatibility implications, a cautious approach is also desirable. Here are some potential phases:
Proposed behavior update:
--insecure-loader
option to re-enable the old behavior.Questions:
./node_modules
and./package.json
are trusted a reasonable burden to place on someone wanting to run./script.js
?What alternatives have you considered?
Edit: Replaced "from" with "from under" to clarify that the script need not be immediately in a shared directory or immediately in a home directory.
The text was updated successfully, but these errors were encountered: