Module search path safety?

138 views
Skip to first unread message

Carlos

unread,
Apr 27, 2013, 12:27:21 PM4/27/13
to nod...@googlegroups.com
From the docs:

For example, if the file at '/home/ry/projects/foo.js' called require('bar.js'), then node would look in the following locations, in this order:

  • /home/ry/projects/node_modules/bar.js
  • /home/ry/node_modules/bar.js
  • /home/node_modules/bar.js  [color added by me]
  • /node_modules/bar.js
Maybe I'm paranoid.  Ok, I am paranoid.  But is there a potential for injection of untrusted code here?  I mean, it's really unlikely that I would be running a node-based service on a machine I don't own-as-in-root.  But suppose I have users, and one of them is using node to do whatever just because node is the coolest thing ever.  Should she trust me not to have put something evil in /home/node_modules?  I mean, I could be evil.  I could dump the list of the top ten downloads from the npm registry and then run those module names through a typo predictor (This is insanely easy to automate, plus you have variations of foo, node-foo and foo-node which create even more open space for evil.) and seed /home/node_modules with compromised versions of the real thing.  The next time Karen Koder does an 'npm install' on a new package file she might very well end up pulling compromised code.  I'm not saying this is a big security risk.  It's not.  If it were, I would not be posting here.  But I question whether this is really good design practice and suggest that maybe pulling code from other user directories is more risky than useful.

Isaac Schlueter

unread,
Apr 27, 2013, 1:29:59 PM4/27/13
to nodejs
If she doesn't trust you, why is her code on your machine? Why don't
you just compromise HER files directly in that case?

If you don't trust your infrastructure provider, then nothing can
protect you. If you want defense-in-depth against accidental things
like this, then make sure that you have local copies in node_modules
of the things you want to use.
> --
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "nodejs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nodejs+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

Isaac Schlueter

unread,
Apr 27, 2013, 1:30:47 PM4/27/13
to nodejs
Or, you can of course always bundle your deps in ./blerg/ and refer to
them via ./blerg/blorg/ or whatever, and that'll be as explicit as you
can be.

Carlos Mundi

unread,
Apr 27, 2013, 1:47:31 PM4/27/13
to nod...@googlegroups.com

That's fair, Isaac, to a point.  We all have to trust someone and it  comes down to ratios of risk/reward.  I just don't like the idea of cross-user account contamination.  The real risk may be very low, but the benefits are even smaller.   If anyone is using /home/node_modules on purpose I would be a little surprised.  Just my 2 cents, and I don't expect anything to change.  But maybe this thread will encourage more ppl to read the docs.  :)

Thanks

You received this message because you are subscribed to a topic in the Google Groups "nodejs" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nodejs/5BGr5dliUIk/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to nodejs+un...@googlegroups.com.

Isaac Schlueter

unread,
Apr 27, 2013, 2:33:18 PM4/27/13
to nodejs
The best way to prevent this would be to set up the permissions on the
box appropriately.

But really, I think "multiple users on the same fs" is kind of an
antiquated approach to multi-tenancy, as it's fundamentally insecure.
Do any hosts even have that any more? Who doesn't just run in a
little VM or zone or something?

Carlos Mundi

unread,
Apr 27, 2013, 10:19:07 PM4/27/13
to nod...@googlegroups.com

All true, Isaac.  I cannot dispute your pragmatism.  I come from the "if it isn't an asset, it's a liability" school, which is a great way to design but an agonized way to live.     :)   Thanks for the discussion.

Ryan Schmidt

unread,
Apr 29, 2013, 2:54:47 AM4/29/13
to nod...@googlegroups.com

On Apr 27, 2013, at 13:33, Isaac Schlueter wrote:

> But really, I think "multiple users on the same fs" is kind of an
> antiquated approach to multi-tenancy, as it's fundamentally insecure.
> Do any hosts even have that any more?

I would guess zillions. But probably none that are awesome enough to support node.

Alex Kocharin

unread,
Apr 29, 2013, 3:54:17 PM4/29/13
to nod...@googlegroups.com

If this server allows auto-creation of users with arbitrary names, someone could create user with "node_modules" name and cause trouble.

On the other hand, I used /home/node_modules folder to deliberately share the same modules between different users. No... I'd say it is more useful than risky.


// alex
Reply all
Reply to author
Forward
0 new messages