Hacker News new | ask | show | jobs
by dns_snek 10 days ago
> since a bunch of people responding with "every package manager can be hit!!!" npm, by design, allows all packages to run package supplied arbitrary code as the logged-in user after an update completes.

This is semi-common and in no way unique to NPM.
3 comments
Ajedi32 10 days ago
And even in the ones that don't, having to wait until the project executes to begin its attack is a minor inconvenience for malware.
link
an0malous 10 days ago
What other package managers do this? I don’t think Ruby does
link
matheusmoreira 10 days ago
https://docs.ruby-lang.org/en//master/Gem.html#method-c-post...
link
IshKebab 10 days ago
Python does too I believe.

Really the reason not to allow that is for robustness, not security. You ideally don't want package installs doing random stuff to your system because package authors are generally bad at doing that sort of thing cleanly.

The security impact is relatively minimal because as other people have said, you just installed a package. What's the very next thing you're going to do? Compile/run it obviously.

link
oblio 10 days ago
A lot of packages are pulled in to call minimal bits of the actual library. I obviously don't have any statistics on this but my instinct would say that for the average application only 5% of an average package is actually used.

So not running package installation scripts is a huge, massive problem.

link
dns_snek 10 days ago
It doesn't matter how much of the package you use. Here, you can use literally 0% of Koa and get pwned by one of its transitive dependencies (koa > cookies > keygrip > tsscmp) by simply importing the parent package:

    mkdir demo && cd demo
    npm install --save koa@3.2.0
    echo 'console.log("--- pwned by a transitive dependency ---")' >> node_modules/tsscmp/lib/index.js
    node -e "import 'koa'"
--- pwned by a transitive dependency ---
link
oblio 9 days ago
My point was for proper package management tools that don't allow running scripts.
link
IshKebab 9 days ago
His example did not involve running any post-install scripts.
link
IshKebab 10 days ago
So what? Packages can just put their backdoors in some initialisation code that is always used.

It is possible that not running package installation scripts could improve security, but for that you need really good sandboxing/compartmentalisation of library code, e.g. with CHERI, WASI component model, or if all of your code must run in a secure context it probably helps.

But those situations are unfortunately rare in my experience.

link
dns_snek 10 days ago
Most of them? Ruby gems have hooks, Python has setup.py, deb, rpm have them too (relevant if you're installing from 3rd party sources). Elixir/Mix doesn't technically execute code on install, but your language server builds the dependencies as soon as you open the project, which can execute arbitrary code.

Either way it misses the point, nobody just fetches code and removing post-install scripts wouldn't change much because you're going to run `npm run something` 5 seconds after you run `npm install`.

link
matheusmoreira 10 days ago
You're right. I said the same thing and got downvoted too. Don't let it discourage you.
link