Comments (3)
How would you envision it being used? Since legitimate postinstall scripts often are about building native packages, they end up executing code in a way that the Node permission model wouldn't apply.
from security-wg.
How would you envision it being used? Since legitimate postinstall scripts often are about building native packages, they end up executing code in a way that the Node permission model wouldn't apply.
In case of building native packages, it will be denied, yeah. I was imagining a specific use case where a Node.js script is run. Do you see another use case for this? Either during the package installation or the module usage itself
from security-wg.
On the top of my head I don't see a lot of use cases for Node.js-based postinstall scripts - afaik the two categories in the wild are:
- Lazily downloading prebuilt binaries; that's something that's better served with
optionalDependencies
, since it integrates with the cache and lockfile. So we don't really want to encourage that. - Print something during install; that's something Yarn doesn't support by default as we don't print messages unless the package completely fails to install.
So limiting the scope of Node.js scripts during postinstall isn't that impactful imo: in most cases users will be better served by disabling the postinstall entirely (if it's an ad), or running it with full permissions (if it's a compiled package).
With that said I think it could be interesting to discuss how to make yarn run
secure the processes it starts - while I'm afraid postinstall is kind of an unfortunate evil, I could imagine us setting up a jail in yarn run
so that transitive dependencies of your scripts (especially those which don't define a postinstall scripts, and thus have less scrutiny) can't compromise the user.
from security-wg.
Related Issues (20)
- Adding language to Bug Bounty program to differentiate "security features" from "defense in depth features" HOT 1
- Node.js Security team Meeting 2024-05-09
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- Node.js Security team Meeting 2024-05-23
- Node.js Security team Meeting 2024-06-06 HOT 4
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- Ping TSC on deps update not from GithubBot HOT 10
- [Bug]:use pm2 and --experimental-permission, throw Error: Access to this API has been restricted
- Node.js Security team Meeting 2024-06-20 HOT 1
- Node.js maintainers: Threat Model HOT 1
- Node.js Security team Meeting 2024-07-04 HOT 4
- OpenSSF Scorecard Report Updated!
- spam
- Security Mailing List HOT 4
- Node.js Security team Meeting 2024-07-18
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-wg.