Comments (4)
Yes, it definitely should be possible, because all you need is some large buffer area that can be manipulated without being noticed. Git uses SHA1 but it's less vulnerable because it's prefixed with the file length which adds a constraint, the hashes are on a per file basis, and people are always looking at the text diffs, so you'd have to hide the change in a binary. Yet people are moving forward with plans to deprecate SHA1 in git. A node package is just a tarball though, and completely opaque to end users. You could use any file, or even insert a hidden file, and since the file size isn't part of the hash you have a lot of freedom. It would still take a 💩load of money but the payout of infecting a highly used module like 'lodash' with arbitrary code execution could be huge. Particularly if companies cache package tarballs indefinitely under the assumption they're immutable.
from ied.
@wmhilton This is one of the reasons I prefer using "cryptographically sensible" hashes in things that, on the surface, do not appear to need them.
Having benchmarked SHA2 against SHA1 myself, you get a performance hit of under about 25% which (IMO) is an acceptable tradeoff for using a best-practice hash algo.
Besides, your network connection will probably introduce more performance uncertainty than whatever hash algorithm you're using.
from ied.
The main obstacle to using it in git is that SHA2 is physically longer than SHA1 which was only 160 bits or 40 bytes. Since git's all written in C that "40 characters" assumption is hard-coded into all sorts of structs. It should be much quicker to fix in JavaScript.
from ied.
This thread is from 5 years ago. Is the project no longer maintained or was this actively decided against?
from ied.
Related Issues (20)
- Seriously, IED is a terrible name. HOT 4
- rxjs\Observer error HOT 3
- Jest Dependencies
- Error status code undefined on raw.githubusercontent.com
- Replace hashes with readable name HOT 2
- EXDEV issue with Docker HOT 1
- Hotfix release needed - Issue with latest rxjs release candidate HOT 9
- support for --registry broken? HOT 1
- Rewrite ied in Go HOT 1
- Idea: collaboration with pnpm HOT 34
- Why can't modules be stored globally on a machine?
- Spec: Lockfile HOT 10
- Spec: console output HOT 10
- Fixing --preserve-symlinks. Enhancing node to exploit.
- EINVAL when installing on Docker on CircleCI
- New Registry Feature: Filtered Metadata HOT 1
- IED installer with phantomJS or with phantomjs-prebuilt HOT 1
- ied install not executing npm install in local dependencies folders
- Not working with electron
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ied.