惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
WordPress大学
WordPress大学
小众软件
小众软件
Cloudbric
Cloudbric
AWS News Blog
AWS News Blog
腾讯CDC
量子位
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
Vulnerabilities – Threatpost
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
IT之家
IT之家
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
S
SegmentFault 最新的问题
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
Last Week in AI
Last Week in AI
博客园 - 【当耐特】
Google Online Security Blog
Google Online Security Blog
美团技术团队
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
罗磊的独立博客
L
LINUX DO - 最新话题
博客园 - Franky
博客园 - 叶小钗
Apple Machine Learning Research
Apple Machine Learning Research
The Last Watchdog
The Last Watchdog
J
Java Code Geeks
AI
AI
C
Cisco Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Cyber Attacks, Cyber Crime and Cyber Security
Cisco Talos Blog
Cisco Talos Blog
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
Help Net Security
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
云风的 BLOG
云风的 BLOG
I
Intezer
S
Securelist

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design NodeJS Path Traversal Vulnerability Scanner Do not use secrets in environment variables and here's how to do it better How to use npm audit How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices The Case for Node.js Secure Configuration Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR) North Korea malware on npm and Ledger connect-kit crypto heist 10 Best Practices for Secure Code Review of Node.js code Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Secure Code Review Tips to Defend Against Vulnerable Node.js Code Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages
2025-01-23 · via NodeJS Security & NodeJS Secure Coding's Blog

A common supply chain security issue with npm packages is the capability of malicious or compromised npm packages to execute arbitrary code or OS commands during the package installation process. This has been a common vector and security concern for developers in the JavaScript ecosystem for many years now and has been exploited by attackers to compromise systems.

About npm postinstall Scripts

The npm package manager (the CLI, not the registry) has a feature called lifecycle hooks. These hooks are scripts that are defined in the package.json manifest file and are executed at different stages of your projects installation process. One of the most commonly used lifecycle hooks is the postinstall script (but there’s also preinstall for example). This script is executed after a package is installed and can be used to perform additional setup or configuration tasks.

So to be practical, imagine the following scenario: your project depends on some third-party packages from npm, right? if you install a package example-dummy-package and this package itself defines in its own package.json file a postinstall run-script hook, then that command will run when you run the following in your project:

npm install `example-dummy-package`

This behavior applies to both direct dependencies or any transitive dependencies in your dependency graph that may define a postinstall (or other lifecycle run-script hook).

The Security Risk of npm postinstall scripts

As you can already imagine by now, the significant risk of the npm package manager allowing third-party dependencies to execute random commands means that any maintainer and any package in your dependency tree may run any operating system commands during your own npm install process.

While the risk is somewhat contained because the command would still only run with the privileges of your own user (or the CI user) that runs the npm install command, it is still significant.

Examples of postinstall scripts security incidents

There are countless examples of npm packages that were published to the npm registry with malicious intents and having postinstall scripts that would run malicious commands on the user’s machine. Here are a few examples:

  • eslint-scope - a package that was published with a malicious postinstall script that would steal the user’s npm credentials. This was indeed part of the official ESLint project that you probably heard of already. One of the package authors was compromised and the attacker published a new version of the package with the malicious script.
  • crossenv - a package that was published with a malicious postinstall script that would run a command to steal the user’s environment variables. Note, this package was a typo-squatting attack that was meant to look like the popular cross-env package from the popular JavaScript developer Kent C. Dodds.

Specifically, the case of crossenv shows the significant and security risk of postinstall scripts. Meaning, even if the system user used to install npm packages isn’t the root user, it still has access to sensitive information such as environment variables, .env files, and other secrets that could be used to breach the system and would be easily exfiltrated by a malicious postinstall script.

What is the npm ignore-scripts flag?

Ok, so how do we fix this postinstall scripts problem?

The npm CLI has a flag called ignore-scripts that can be used to prevent the execution of any lifecycle hooks defined in the package.json file of the packages you are installing. This flag can be used with any npm command that installs packages, such as npm install, npm ci, npm update, etc.

Here’s how you can use the ignore-scripts flag:

npm install --ignore-scripts <package-name>

This will install the package you specify without running any lifecycle hooks defined in the package’s package.json file of that package or any of its own transitive dependencies.

Yarn support for the —ignore-scripts flag

Yarn uses the enableScripts configuration flag to control whether lifecycle scripts are executed during package installation. By default, this flag is set to true which means that lifecycle scripts are executed. You can set this flag to false to disable the execution of lifecycle scripts during package installation.

The enableScripts configuration is set in the .yarnrc.yml file.

Apply the ignore-scripts flag by default

Better than passing the --ignore-scripts flag every time you install a package, you can configure npm to always ignore scripts by default. You can do this by setting the ignore-scripts configuration option in your .npmrc file:

echo "ignore-scripts=true" >> .npmrc

This is useful because it saves you from having to remember to pass the --ignore-scripts flag every time you install an npm package. It also helps to enforce the best practice of always ignoring scripts when installing packages from npm.

Bonus, if you push this .npmrc file to your project’s repository, you can enforce this best practice across your team and CI/CD pipelines so no one else needs to be bothered with remembering to pass the --ignore-scripts flag either.

To take it further, I also recommend applying the ignore-scripts=true configuration option for npm on the system level. This way, you can ensure that it is the default across all projects you use or clone on your system.

This is how you configure npm to ignore scripts by default on the system level:

npm config set ignore-scripts true

Side-effects of using ignore-scripts

So you should be aware that some third-party packages on npm may require their postinstall scripts to run in order to function correctly.

Some people will argue:

But what if you depend on legitimate packages that use postinstall scripts? 🤷

For example, a package may use a postinstall script to compile native addons, or to set up configuration files, or to perform other necessary setup tasks. A few examples are these packages:

  • bcrypt
  • node-sass
  • sharp

Meaning, if you install any of these packages and you default to not allowing post-install scripts then these packages may not install correctly or may not work as expected.

So should you ignore scripts by default or not?

It’s a trade-off between security and functionality. My opinionated recommendation is to always use ignore-scripts by default and only disable it on a case-by-case basis when you trust the package maintainer and you know what the postinstall script does.

If the third-party package requires postinstall scripts to run and is a regular part of the project, you can use LavaMoat’s allow-script package to manage an allow-list of trusted packages.

Another reason to consider disabling postinstall by default and prioritizing security is due to a prior academic research study that showed that about 2% of the npm registry actually has postinstall scripts defined. This means that the majority of packages you install won’t be affected by this change.

“we found 2.2% (33,249) of packages use install scripts, indicat- ing that 97.8% of packages may follow npm recommendation of not using the install script as best security practices.”

How to test for postinstall scripts

If you want to audit your project’s configuration and security posture for postinstall scripts, you can use a dummy test package made available by the LavaMoat project maintainers called @lavamoat/preinstall-always-fail

npm install @lavamoat/preinstall-always-fail

If this package fails to install then it means that your project is configured to allow postinstall scripts (not a good sign of security). If it installs successfully then it means that your project is configured to ignore postinstall scripts (a good sign of security).

Best Practices for npm ignore-scripts

Here are some best practices for using the ignore-scripts flag with npm:

  1. Use ignore-scripts by default: Always use the ignore-scripts flag when installing packages from npm. This will help mitigate the risk of malicious packages executing arbitrary commands on your system.
  2. Use ignore-scripts in CI/CD pipelines: You need to install dependencies in your CI/CD pipelines so make sure to always use the ignore-scripts flag to prevent any malicious packages from executing arbitrary commands on your CI/CD system (and potentially stealing environment variables, spinning up cloud infra and using it for crypto mining, etc).
  3. Use npq: If you want to enforce the use of ignore-scripts in your project, you can use the npq tool which is a wrapper around the npm CLI that will automatically run heuristics to collect security information about the packages you are installing and will automatically warn you if a package has a postinstall script.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。