Dependințe periculoase în npm

isti37 · august 2, 2017, 7:22pm

Pe scurt sunt deja o mulțime de dependințe care trimit environment variables (practic datele de conexiune la baza de date sau api-uri în multe cazuri) la diferiți terți. Acestea au nume asemănătoare cu dependințele reale, dar de fapt fură datele de autentificare sau mai rău.

babelcli - v1.0.1 - Babel CLI for Nodejs
crossenv - v6.1.1 - Run scripts that set and use environment variables across platforms
cross-env.js - v5.0.1
d3.js - v1.0.1 - d3.js for Nodejs
fabric-js - v1.7.18 - Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas.
ffmepg - v0.0.1 - FFmpeg for Nodejs
gruntcli - v1.0.1 - Grunt CLI for Nodejs
http-proxy.js - v0.11.3 - Node.js proxy tools
jquery.js - v3.2.2-pre - jquery.js for Nodejs
mariadb - v2.13.0 - A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed.
mongose - v4.11.3 - Mongoose MongoDB ODM
mssql.js - v4.0.5 - Microsoft SQL Server client for Node.js.
mssql-node - v4.0.5 - Microsoft SQL Server client for Node.js.
mysqljs - v2.13.0 - A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed.
nodecaffe - v0.0.1 - caffe for Nodejs
nodefabric - v1.7.18 - Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas.
node-fabric - v1.7.18 - Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas.
nodeffmpeg - v0.0.1 - FFmpeg for Nodejs
nodemailer-js - v4.0.1 - Easy as cake e-mail sending from your Node.js applications
nodemailer.js - v4.0.1 - Easy as cake e-mail sending from your Node.js applications
nodemssql - v4.0.5 - Microsoft SQL Server client for Node.js.
node-opencv - v1.0.1 - OpenCV for Nodejs
node-opensl - v1.0.1 - OpenSSL for Nodejs
node-openssl - v1.0.1 - OpenSSL for Nodejs
noderequest - v2.81.0 - Simplified HTTP request client.
nodesass - v4.5.3 - Wrapper around libsass
nodesqlite - v2.8.1 - SQLite client for Node.js applications with SQL-based migrations API
node-sqlite - v2.8.1 - SQLite client for Node.js applications with SQL-based migrations API
node-tkinter - v1.0.1 - Tkinter for Nodejs
opencv.js - v1.0.1 - OpenCV for Nodejs
openssl.js - v1.0.1 - OpenSSL for Nodejs
proxy.js - v0.11.3 - Node.js proxy tools
shadowsock - v2.0.1 - A tunnel proxy that help you get through firewalls
smb - v1.5.1 - A Pure JavaScript SMB Server Implementation
sqlite.js - v2.8.1 - SQLite client for Node.js applications with SQL-based migrations API
sqliter - v2.8.1 - SQLite client for Node.js applications with SQL-based migrations API
sqlserver - v4.0.5 - Microsoft SQL Server client for Node.js.
tkinter - v1.0.1 - Tkinter for Nodejs

ct27stf · august 3, 2017, 6:59am

La ultimul DevMeet povesteam cuiva ca imi e frica rau sa las in productie chestii construite cu node
motiv++

bonus: https://github.com/ChALkeR/notes/blob/master/Gathering-weak-npm-credentials.md

isti37 · august 3, 2017, 8:36am

debug, qs, supports-color, yargs, commander, request, strip-ansi, chalk, form-data, mime, tunnel-agent, extend, delayed-stream, combined-stream, forever-agent, concat-stream, vinyl, co, express, escape-html, path-to-regexp, component-emitter, moment, ws, handlebars, connect, escodegen, got, gulp-util, ultron, http-proxy, dom-serializer, url-parse, vinyl-fs, configstore, coa, csso, formidable, color, winston, node-sass, react, react-dom, rx, postcss-calc, superagent, basic-auth, cheerio, jsdom, gulp, sinon, useragent, deprecated, browserify, redux, array-equal, bower, jshint, jasmine, global, mongoose, vhost, imagemin, highlight.js, tape, mysql, mz, nock, rollup, gulp-less, rework, xcode, ionic, cordova, normalize.css, electron, n, react-native, ember-cli, yeoman-generator, nunjucks, koa, modernizr, yo, mongoskin, and a lot more.

NPM ar fi un site pe care s-ar putea obliga utilizarea de chei SSL la logare. Dar totuși pe mine nu m-ar preocupa utilizarea de dependințe din npm în producție fiindcă sunt și oameni care sunt preocupați de securitatea dependințelor. Poți folosi și scope-uri pentru a te asigura că iei lucrurile doar de la oameni de încredere.

Adică eu zic că npm tot e mai sigur ca NuGet, Composer, pip, gem sau Maven, să nu zic mai elegant.

OvidiuG · august 3, 2017, 10:08am

https://www.twilio.com/blog/2017/08/find-projects-infected-by-malicious-npm-packages.html

horia141 · august 3, 2017, 10:15am

Asta-i o problema cu orice package manager pana la urma nu? Poate exacerbat de numarul mai mare de dependinte dintr-un proiect JavaScript. Din articol pare ca lumea lucreaza la problema asta, cu niste solutii de inceput.

O solutie din infrastructura la problema asta este sa nu permiti conectarea la internet a sistemelor interne, decat cu whiteliste-uri punctuale (ie serviciul X trebuie sa faca un call la serviciul extern Y, asa ca ii permitem).

iamntz · august 3, 2017, 10:37am

De ce zici asta?

alessioalex · august 3, 2017, 12:53pm

Poate pentru ca npm te atentioneaza cand instalezi pachete outdated sau pe cele care au probleme de securitate cunoscute. In afara de asta mai sunt tool-uri externe care te pot atentiona si ele in cazul in care ai dependEnte vulnerabile. Un astfel de serviciu e synk (modul npm https://www.npmjs.com/package/snyk ), care trimite continutul package.json catre serverul lor, iar acolo se verifica fiecare dependenta din tree in baza de date a vulnerabilitatilor.