Los paquetes de Open Source, y específicamente npm, they are undoubtedly impressive. They make developers extremely productive by giving each of us a wealth of existing functionality waiting to be consumed. If we were to write all this functionality ourselves, we would have a hard time creating a fraction of what we do today.
As a result, a typical Node.js application today consumes a ton of MNP packages, often hundreds or thousands of them. However, what we often overlook is that each of these packages, along with their functionality, also addresses the security risks of Node.js. Many packets open new ports, thus increasing the attack surface. About 76% of Node stores use vulnerable packages, some of which are extremely harsh; and open source projects regularly become obsolete, neglecting to fix security flaws.
Inevitably, the use of npm packages It will expose you to security risks. Fortunately, there are several questions you can ask that can reduce your risk substantially. This post describes these questions and how to answer them.
What packages am I using?
The more packages you use, the greater the risk of having a vulnerable or malicious package among them. This is true not only for the packages that you use directly, but also for the indirect dependencies that they use.
Discovering your dependencies is as easy as running npm ls in your app's main folder, which lists the packages you use. You can use the argument –Prod to show only production dependencies (which affect your security the most) and add –Long for a brief description of each package. Take a look at this post to better understand how you can divide and cut your dependencies npm.
~ / proj / node_redis $ npm ls --prod --long [email protected] │ / Users / guypod / localproj / playground / node_redis │ Redis client library │ git: //github.com/NodeRedis/node_redis.git │ https://github.com/NodeRedis/node_redis ├── [email protected] │ Extremely fast double-ended queue implementation │ git: //github.com/petkaantonov/deque.git │ https : //github.com/petkaantonov/deque ├── [email protected] │ Redis commands │ git + https: //github.com/NodeRedis/redis-commands.git │ https://github.com/ NodeRedis / redis-commonds └── [email protected] Javascript Redis protocol (RESP) parser git + https: //github.com/NodeRedis/node-redis-parser.git https://github.com/NodeRedis / node-redis-parser#readme
A new group of service unit management, such as bitHound and VersionEye They can also list the dependencies you use, as well as track some of the information below.
Now that you know what you have, you can ask a few questions to assess the risk involved in each package. Here are some sample questions to ask, why you should ask them, and suggestions for how you can get answers.
Am I still using this package?
As time passes and your code changes, you will likely stop using certain packages and add new ones instead. However, developers often do not remove a package from the project when they stop using it, as some other part of the code may need it.
As a result, projects have a tendency to accumulate unused dependencies. While not a direct security concern, these dependencies needlessly increase the attack surface and add clutter to the code. For example, an attacker can trick a package into loading an unused package with a more severe vulnerability, increasing the potential damage.
Checking for unused dependencies is most easily done using the tool depcheck. depcheck scan your code comados requires and import, correlates those with the packages installed or mentioned in your package.json, and provides a report. The command can be modified in various ways using command prompts, making it easy to automatically check for unused buckets.
~ / proj / Hardy $ depcheck Unused dependencies * cucumber * selenium-standalone Unused devDependencies * jasmine-node
Are other developers using this package?
The packages used by many are also watched more closely. The probability that someone has already found and addressed a security issue in them is higher than in a less used package.
For example, the package secure-compare it was created to support string matching which was not susceptible to a time attack. However, a fundamental flaw in the package led to the exact opposite being achieved, making certain extremely time-sensitive (and incorrect) comparisons.
If you looked more closely, you would see that this package is rarely used, downloaded only 20 times a day. If this were a more popular package, chances are someone would have found and reported the functional failure before.
The easiest way to evaluate the use of the package is its download rate, indicated in the section "Statistics" from the page of npm package. Puedes extraer esas estadísticas automáticamente usando la API from npm stats, or browse historical statistics in npm-stat.com . Alternatively, you can look at the number of packages "Dependents" - other packages in use today.
Am I using the latest version of this package?
Bugs, including security ones, are constantly found and hopefully fixed. Also, it is quite common to see newly reported vulnerabilities fixed only in the most recent main branch of a project.
For example, in early 2016, a vulnerability of Denial of Service of Regular Expression (ReDoS) in the package HMAChawk.ReDoS is a vulnerability in which a long or carefully crafted input causes the regex comparison to take a long time to compute. Meanwhile, the processing sub-process does not serve new requests, allowing a denial of service attack with only a small number of requests.
Vulnerability hawkse quickly fixed in its latest version of the main version, 4.x, but left the older versions without a solution. Specifically, it left an uncorrected vulnerability in the request package widely used, who used [email protected]. Later, the author accepted the request for the extraction of Snyk with a solution for the branch 3.x, but the request users They were exposed for a while and the problem still exists in the older major version branches. This is just an example, but as a general rule, your dependencies are less likely to have security bugs if they are on the latest version.
You can find out whether or not you are using the latest version with the command npm outdated. This command also supports the flag –Prod to ignore dev dependencies as well as –Json to simplify automation. You can also use Greenkeeper to proactively inform you when you are not using the latest version.
~ / proj / handlebars.js $ npm outdated --prod Package Current Wanted Latest Location async 1.5.2 1.5.2 2.0.1 handlebars source-map 0.4.4 0.4.4 0.5.6 handlebars uglify-js 2.6.2 2.7. 3 2.7.3 handlebars yargs 3.32.0 3.32.0 5.0.0 handlebars
When was this package last updated?
Create an open source project, including packages npm, es divertido. Muchos desarrolladores talentosos crean estos proyectos en su tiempo libre, invirtiendo mucho tiempo y energía en hacerlos buenos. Sin embargo, con el tiempo, la emoción a menudo se desvanece y los cambios en la vida pueden hacer que be difícil encontrar el tiempo necesario.
As a result, the packages npm they often get stale, don't add features, and fix bugs slowly, if at all. This is not really great for functionality, but it is especially problematic for security. Functional errors typically only get in your way when you're building something new, allowing some leeway for how quickly they are addressed. Fixing security vulnerabilities is more urgent - once known, attackers can exploit them, so time to fix is critical.
