-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Module search security 8830 #176
Module search security 8830 #176
Conversation
This was recently discussed on joyent/node. Have you seen @chrisdickinson's reply? |
Yes I have, and I will not be surprised if this is rejected. If so, it would be great if I could get some guidance as to what the community needs. Pointers to features which should actually be implemented, or what real bugs should be fixed would be helpful, though I know this is hard with the massive backlog. |
-1 It adds a weird random unexpected behaviour for a very specific situation. For our servers it wouldn't add any level of security since each project is deployed under |
@algesten it seems like @ivan has a different opinion specific to multi-user windows systems (of which there are many). This is different than your setup. |
I agree we need to do better here, although I'm not sure how. I'll bring it up at the TC meeting tonight. |
@bnoordhuis Thanks! I'd really like to help, but it's hard swimming through a see of bugs, only to have this happen. |
|
||
// Restore mocked home directory environment variables for other tests | ||
if (isWindows) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this part necessary? Each test is run in a separate process, so the env gets reset.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may not be. That would simplify the test.
TC discussed this today, see #178 for meeting minutes and a link to the video. The agreement was to move discussion back here. Unofficially, the tone of the discussion leads me to believe that this PR is unlikely to land without more compelling arguments and perhaps examples. It'd be worth reviewing the meeting video to get the nuance of the discussion around this issue though. |
I think that the only real hazard here is User creation requires root access (in which case you're hosed already) and creating dirs in Stopping at the home dir is an arbitrary and surprising behavior. An alternate proposal, to stop lookup at the cwd, is just as arbitrary and will break many existing use-cases without a clear benefit. For example, if you have a script that does I'd be more comfortable simply saying that I am not trying to be excessively pedantic about keeping the module semantics frozen, and I apologize for the apparent resistance. Any change in this area has the potential to upset module interoperability, which affects all of our users in surprising ways. tl;drHere's what I'm ok with. If
|
Yeah, as nodejs/node-v0.x-archive#8830 (comment) describes, Vista, 7, and 8 allow anyone in Authenticated Users to create |
This is not clear. Imagine an automated process (e.g. signup on a shared hosting provider) that will allow you to name yourself "node_modules", or a human that can be socially engineered into letting you have a "node_modules" account for a made-up reason like "I need this for my node.js code to work". The process or the admin isn't the bad guy trying to hose you, so you were not hosed until node search behavior decided to run the attacker's code. |
Fair enough. Another question: is anyone using Node in environments like this? Isn't shared hosting sort of a thing of the past? VMs and container systems are easier and cheaper, and more secure for countless other reasons. |
Not sure about "shared hosting" in particular, but node ships with end-user-facing desktop software (e.g. LightTable, keybase.io, Atom, and Photoshop CC 2014), so it seems very plausible that someone would run node in an environment with arbitrarily-named users in |
@ivan as isaac pointed out in the TC meeting. if you have a shared hosting provider with no checks on what user names people can take, you have bigger problems than this. same goes for the social engineering scenario. there are a whole slew of bad names that any sane sysadmin will disallow normal users i.e. as i see it the only "solution" to this problem (if it is a problem. i'm not convinced) is to disallow climbing above userland is dangerous. don't trust it. |
A strategy that @piscisaureus suggested in the last TC meeting, which I haven't completely thought through yet, is to only search up to the left-most So, if a module at
Instead of:
This seems like it'd work fine for most npm use cases, and would prevent the possibility of exploits from If we do implement that strategy, then I'd suggest that it should be behind a feature flag for at least a major version cycle so we can vet it very carefully. |
Also, of course, that strategy would not help in cases where the requiring module isn't in a |
Closing this because it's become stale. It can be reopened if necessary but it seems like a new PR for discussion focusing on @isaacs' last suggestion might be in order for those concerned about this issue (fwiw I'd support that change but it'd break some people's existing workflows--e.g. I know of people who put all of their dev stuff inside a folder called node_modules just to avoid |
- Make env parameter name consistent in header - Remove napi_get_cb_holder; it is not used anywhere. We can add it back later if it's really needed.
It seems like some core contributors aren't the biggest fans of this, but this is a concern which should not be completely ignored.
I think that this is reasonable to protect against on multi-user Windows systems.
I would also update the accompanying docs.
I do not like what I'm doing with environment variables in the test, so if there is a better way to mock $HOME or the process module, please let me know.