LeftPad Not Found

Transcript

1. ! Starefossen LeftPad Not Found Hans Kristian Flaatten ! Starefossen

   1 Node.js Oslo Meetup May 25, 2016, at MESH Node.js / Web Security

2. ! Starefossen 2 ?

3. ! Starefossen > cat about.txt Hans Kristian Flaatten I ♥

   Open Source # Computer Science @NTNU $ DevOps @Turistforeningen % Build & Docker @NodeJS 3

4. ! Starefossen 4 v4.4.5 v6.2.0 & & 24 May 17

   May ' ' '

5. ! Starefossen > cat agenda.txt 5 > man npm >

   npm install left-pad > npm install > the npm worm > npm outdated > npm publish > credential leakage

6. ! Starefossen npm 6

7. ! Starefossen > history 2009 Ryan Dahl releases Node.js 2010

   Isaac Schlueter releases npm 2011 Node.js v0.6.3 bundles npm 2012 Isaac becomes maintainer of Node.js 2014 npm, Inc. is founded 7

8. ! Starefossen npm stats 8 Source: modulecounts.com ( 278k public

   packages 1B ) downloads/week Source: npmjs.org

9. ! Starefossen 9 1 year+ since last release * 133k

   (47%) + 93k (33%) Without a license & 84k (30%) Latest version 0.0.x , 1.1 Maintainers (avg.) npm stats (dark side)

10. ! Starefossen leftpad 10

11. ! Starefossen > npm install left-pad 11 1 module.exports =

    leftpad; 2 function leftpad (str, len, ch) { 3 str = String(str); 4 var i = -1; 5 if (!ch && ch !== 0) ch = ' '; 6 len = len - str.length; 7 while (++i < len) { 8 str = ch + str; 9 } 10 return str; 11 }

12. ! Starefossen 12 ) 2.5M downloads/month

13. ! Starefossen Mar 22th 2:30 PM 4:55 PM - Hijacked

    . Unpublished / Transferred 0 Shit's on fire 1 npm responds 2:35 PM 2:40 PM

14. ! Starefossen –Azer Koçulu 2 npm is someone’s private land

    14

15. ! Starefossen Post Mortem 3 new unpublish policy 1 protect

    yourself • write your own libs • bundling/vendoring • private registry 15

16. ! Starefossen npm install 16

17. ! Starefossen Install the right thing • Common misspellings •

    coffee-script - coffeescript - coffe-script • uglify-js - uglifyjs • socket.io - socketio 17

18. ! Starefossen npm-scripts • "scripts" in package.json • start, test,

    build etc. • pre* and post* scripts • preinstall is run automatically before install • postinstall is run automatically after install 18

19. ! Starefossen > cat package.json 19 { "name": "my-package", "version":

    "1.0.0", "scripts": { ..., "postinstall": "grunt build" }, ... }

20. ! Starefossen > cat package.json 20 { "name": "my-evil-package", "version":

    "1.0.0", "scripts": { ..., "postinstall": "rm -rf /" }, ... }

21. ! Starefossen The npm Worm 1.installs itself on «download» 2.modifies

    your package.json 3.publishes a new release US-CERT vulnerability #319816 21

22. ! Starefossen 22

23. ! Starefossen –The npm Blog 2 npm cannot guarantee that

    packages available on the registry are safe. 23

24. ! Starefossen Protecting Yourself • npm install --ignore-scripts • npm

    config set ignore-scripts true • npm logout 24

25. ! Starefossen –Node Security Advisory 2 Inspect the source before

    you npm install it. 25

26. ! Starefossen Package Source Code 26 npm ≠ github

27. ! Starefossen Package Source Code 27 registry.npmjs.org/name/-/name-version.tgz

28. ! Starefossen 28 - 1 IN 5 has insecure dependencies

    Source: bithound.io

29. ! Starefossen 29 Node Security Project by ^Lift Security

30. ! Starefossen moment.js regex dos 30

31. ! Starefossen Node Security Project • Community driven • Security

    Advisories • nodesecurity.io/report 31

32. ! Starefossen > npm install nsp 32 > nsp check

    (+) 1 vulnerabilities found ┌───────────────┬────────────────────────────────────────┐ │ │ Cross Site Scripting │ ├───────────────┼────────────────────────────────────────┤ │ Name │ backbone │ ├───────────────┼────────────────────────────────────────┤ │ Installed │ 0.3.3 │ ├───────────────┼────────────────────────────────────────┤ │ Vulnerable │ <= 0.3.3 │ ├───────────────┼────────────────────────────────────────┤ │ Patched │ >= 0.5.0 │ ├───────────────┼────────────────────────────────────────┤ │ Path │ [email protected] > [email protected] │ ├───────────────┼────────────────────────────────────────┤ │ More Info │ https://nodesecurity.io/advisories/108 │ └───────────────┴────────────────────────────────────────┘

33. ! Starefossen > npm install greenkeeper 33

34. ! Starefossen > npm install greenkeeper • 4 greenkeeper.io •

    Key features • dependency monitoring • pull request updates • auto merging (optional) 34

35. ! Starefossen > npm install npm-check 35

36. ! Starefossen > npm install npm-check • ! dylang/npm-check •

    Key features • upgrade outdated • fix incorrect • remove unused 36

37. ! Starefossen Code Analysis Tools 37

38. ! Starefossen Npm publish 38

39. ! Starefossen Getting Started • npm init • version >=

    1.0.0 • write tests • code linting • use a ci server 39

40. ! Starefossen Credential Leaks • Username / password • SSH

    keys • Authentication tokens 40

41. ! Starefossen Leaked Sources • Dotfiles (.ssh, .npmrc, .gitconfig etc.)

    • Config files (package.json, Gemfile etc.) • Scripts (hardcoded stuff) • Logs 41

42. ! Starefossen Leak Mitigation • .gitignore + .npmignore (blacklist) •

    package.json "files" (whitelist) • automate publishing to npm 42

43. ! Starefossen Semantic-Release 5 github.com/semantic-release • Key features: • package

    publishing • semver increment • release notes 43

44. ! Starefossen Semantic-Release 44

45. ! Starefossen Wrapping Up • Dependent on npm much? •

    Think before you install! • What do you publish? • Automate. Automate. Automate. 45

46. ! Starefossen Thank You! Hans Kristian Flaatten ! @Starefossen @Starefossen

    6 starefossen.github.io 7 [email protected] 46 