Yuri
2015-Mar-16 19:57 UTC
npm doesn't check package signatures, should www/npm print security alert?
www/npm downloads and installs packages without having signature checking in place. There is the discussion about package security https://github.com/node-forward/discussions/issues/29 , but actual checking isn't currently done. Additionally, npm allows direct downloads of GitHub projects without any authenticity checking or maintainer review, see documentation https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install githubname/reponame' can also be easily confused with the official package name. Random GitHub projects can contain code without any guarantees. I think there is the risk that some malicious JavaScript code can be injected through the MITM attack, and server side JavaScript is a fully functional language. Shouldn't www/npm at least print a security alert about this? It probably shouldn't be used on production systems until package authentication is in place. Yuri
Mark Felder
2015-Mar-16 20:05 UTC
npm doesn't check package signatures, should www/npm print security alert?
On Mon, Mar 16, 2015, at 14:57, Yuri wrote:> www/npm downloads and installs packages without having signature > checking in place. > There is the discussion about package security > https://github.com/node-forward/discussions/issues/29 , but actual > checking isn't currently done. > > Additionally, npm allows direct downloads of GitHub projects without any > authenticity checking or maintainer review, see documentation > https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install > githubname/reponame' can also be easily confused with the official > package name. Random GitHub projects can contain code without any > guarantees. > > I think there is the risk that some malicious JavaScript code can be > injected through the MITM attack, and server side JavaScript is a fully > functional language. > > Shouldn't www/npm at least print a security alert about this? It > probably shouldn't be used on production systems until package > authentication is in place. > > Yuri >This would require FreeBSD to modify npm code to inject this message, correct? Or do you just want a post-install message when the package is installed to remind FreeBSD users about it? It seems to me a scary warning patch should be sent upstream.
Yuri
2015-Mar-17 09:16 UTC
npm doesn't check package signatures, should www/npm print security alert?
On 03/16/2015 12:57, Yuri wrote:> www/npm downloads and installs packages without having signature > checking in place. > There is the discussion about package security > https://github.com/node-forward/discussions/issues/29 , but actual > checking isn't currently done.I added the pkg-message with security advisories about this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198653 Yuri