惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
G
Google Developers Blog
J
Java Code Geeks
The GitHub Blog
The GitHub Blog
F
Full Disclosure
H
Help Net Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Vercel News
Vercel News
酷 壳 – CoolShell
酷 壳 – CoolShell
Recent Announcements
Recent Announcements
Help Net Security
Help Net Security
The Hacker News
The Hacker News
IT之家
IT之家
Y
Y Combinator Blog
Martin Fowler
Martin Fowler
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
V
Visual Studio Blog
博客园 - 聂微东
Hacker News: Ask HN
Hacker News: Ask HN
H
Hacker News: Front Page
Know Your Adversary
Know Your Adversary
Security Latest
Security Latest
Security Archives - TechRepublic
Security Archives - TechRepublic
Simon Willison's Weblog
Simon Willison's Weblog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Troy Hunt's Blog
Last Week in AI
Last Week in AI
Schneier on Security
Schneier on Security
N
News and Events Feed by Topic
博客园 - 【当耐特】
有赞技术团队
有赞技术团队
AWS News Blog
AWS News Blog
Blog — PlanetScale
Blog — PlanetScale
博客园_首页
Google DeepMind News
Google DeepMind News
Cloudbric
Cloudbric
N
News | PayPal Newsroom
A
About on SuperTechFans
S
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hugging Face - Blog
Hugging Face - Blog
M
MIT News - Artificial intelligence
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
雷峰网
雷峰网
T
The Exploit Database - CXSecurity.com
罗磊的独立博客
K
Kaspersky official blog
The Cloudflare Blog
I
Intezer

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design NodeJS Path Traversal Vulnerability Scanner Do not use secrets in environment variables and here's how to do it better How to use npm audit How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR) North Korea malware on npm and Ledger connect-kit crypto heist 10 Best Practices for Secure Code Review of Node.js code Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Secure Code Review Tips to Defend Against Vulnerable Node.js Code Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
The Case for Node.js Secure Configuration
2024-03-09 · via NodeJS Security & NodeJS Secure Coding's Blog

What’s the case for a Node.js secure configuration when you deploy applications to production environments? These can be anything from unpatched vulnerabilities that lurk in outdated Node.js versions to third-party packages, waiting to be exploited by malicious actors. These vulnerabilities can range from granting unauthorized access to sensitive data to completely compromising your application.

Insecure configuration further amplifies the risk. Sensitive information like API keys and passwords stored in plain text become easy targets. Do you use the Node.js permission model --allow-fs-read to limit this threat of attackers reading sensitive files that they shouldn’t have access to? Even seemingly harmless practices like inadequate logging can expose sensitive information in logs, making it accessible to unauthorized users.

Furthermore, prototype pollution vulnerabilities just like the previously reported CVE-2023-30581 in which the use of proto in process.mainModule.proto.require() can bypass the policy mechanism, present an actual risk to Node.js runtime versions, your JavaScript code and to certain libraries and frameworks. These type of vulnerabilities allow attackers to manipulate core JavaScript objects, potentially granting them unauthorized access or control. Outdated dependencies add another layer of risk, harboring unpatched vulnerabilities even if your Node.js version is current. Attackers can exploit these outdated dependencies to gain a foothold in your system.

So how does secure configuration shield against these threats? By keeping Node.js and dependencies up-to-date, implementing robust Node.js permission model, and using secure logging practices and following best practices for bootstrapping a Node.js application configuration you significantly reduce your attack surface and protect sensitive information.

Environment Variables Anti-Patterns

Environment variables are a cornerstone of secure Node.js configuration, storing sensitive information like API keys and database credentials outside your application code. But beware the anti-patterns that can crack this protective shell!

  • Exposing the Nest: Resist the urge to directly access process.env in your code. This not only reveals the variable names but also potentially exposes other sensitive data stored there. Instead, rely on dedicated libraries like dotenv or secure-env to load and manage environment variables securely.

  • Trust, but Verify: Don’t blindly trust values retrieved from environment variables. Implement validation checks to ensure they conform to expected formats and data types. This helps prevent unexpected behavior and vulnerabilities arising from malformed or incorrect data. Tip: the env-schema npm package is useful for this!

  • The Forbidden Fruit of Code: Never embed secrets like passwords, tokens, or private keys directly within your code. This creates a single point of failure and makes it readily accessible to anyone with access to the codebase. Stick to environment variables at the very least to keep your code clean from sensitive data that may be leaked in the future.

This next point is about .env files, but make no mistakes that it is still way too easy to commit .env files:

I've been using github for over four years now.

I just committed a .env file. Again.

— IroncladDev 🔩 (@IroncladDev) February 8, 2024

As IroncladDev pointed out, this is a confusing case of how Next.js works:

used the next.js default one, which only ignores .env.local (I used plain .env)

And with that, this brings us to the next point about .env files:

  • Beware the Accidental Treasure Map: While .env files are convenient for local development, remember their sensitivity. Never commit them to your source control repository! Doing so exposes your secrets to anyone with access to the code, potentially compromising your entire production environment. Use dedicated secrets management solutions or create a gitignore rule to exclude .env files from version control.

By adhering to these best practices, you can transform environment variables from a potential security risk into a robust shield for your Node.js application. I wrote an in-depth article on about environment variables and configuration anti patterns in Node.js applications.

The Androxgh0st Malware

Do you think I’m overreacting in terms of sensitivity to potential insecurities of using .env files?

CISA, which is America’s Cybersecurity and Infrastructure Security Agency, issued a document for known indicators of compromise associated with the Androxgh0st malware which harvests .env files. How so? the malware scans for Laravel PHP applications on the Internet and once it finds one it determines if they are misconfigured and exposing a .env file so it can steal the credentials and any API keys mentioned in it.

Meet the Node.js Permission Model

Imagine your Node.js application as a bustling city, with data and files flowing freely like traffic. But what happens when a malicious actor sneaks in, looking to exploit vulnerabilities and steal sensitive information? This is where the Node.js permission model comes in, offering a powerful tool to lock-down your application and keep unauthorized access at bay.

Enter Node.js command-line flags like --allow-fs-read. This flag, activated by the --experimental-permission switch, allow you to define exactly what your application can and cannot do. Need to read specific files for functionality? Grant limited access with --allow-fs-read=<path>.

One major risk we’re addressing here is malicious file reads. Imagine your application storing sensitive data like API keys or user passwords in easily accessible locations. A single vulnerability, like a path traversal attack, could become the key for attackers to unlock this treasure trove. By limiting file system access with the permission model, you create a fortified wall, making it much harder for attackers to reach these sensitive areas.

But the benefits don’t stop there. Path traversal vulnerabilities, often exploited by attackers to traverse beyond intended file paths, become significantly less potent when you restrict file system access. Imagine a path traversal attack leading to a normally inaccessible file containing critical information. With the permission model in place, that file remains safely off-limits, effectively neutralizing the threat.

Don’t underestimate the importance of secure coding in Node.js applications and mastering the art of path traversal defense? Look no further than my book, Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities”.

Concluding

Securing your Node.js application requires a multi-pronged approach. Environment variables are often convenient to developers, but avoid accessing them directly or embedding secrets in code. Use dedicated libraries for secure loading and validation. Remember, never commit .env files containing sensitive information to source control. Likewise, the Node.js permission model offers a powerful security layer. By defining specific file access rights with flags like --allow-fs-read, you create a fortified wall against unauthorized data reads.

These two aspects of Node.js secure configuration help significantly reduce the impact of path traversal vulnerabilities, a major attack vector for malicious actors. Embrace them to build robust and secure Node.js application.