Issue metadata
Sign in to add a comment
|
Security: NPM dependency takeover in https://github.com/GoogleChrome/workbox
Reported by
prebenve...@gmail.com,
Jul 6
|
||||||||||||||||||||
Issue descriptionSummary: NPM dependency takeover in https://github.com/GoogleChrome/workbox In the package.json of https://github.com/GoogleChrome/workbox/blob/master/packages/workbox-build/package.json, I noticed that one of the dependencies was not registered: "workbox-navigation-preload". Hence I uploaded the NPM package to the NPM registry. PoC: * git clone https://github.com/GoogleChrome/workbox.git * cd cd workbox/packages/workbox-build/ * npm install This should throw an error, in the npm-debug.log it should say: 726 verbose stack Error: No compatible version found: workbox-navigation-preload@^3.3.1 726 verbose stack Valid install targets: 726 verbose stack 1.0.0 This error is thrown because my package is version 1.0.0 Additional PoC: https://www.npmjs.com/package/workbox-navigation-preload Attack scenario: Using the NPM dependency one could execute arbitrary code on servers (build servers) and users installing the package that uses this dependency. Seeing as similar packages (workbox-*) got around 35000 download this week, this could've had some serious impact.
,
Jul 9
,
Jul 9
Thanks for pointing this out. We were planning on publishing the workbox-navigation-preload package to npm for the first time with the upcoming 3.4.0 release of Workbox. We use lerna (https://github.com/lerna/lerna) to publish all dependencies at once, though now that the workbox-navigation-preload package name has been claimed by someone else, the act of publishing to npm will fail, and we'll have to choose a different package name. Given that we need to check in code to the master branch of GitHub prior to publishing to npm via lerna, I'm not sure how to avoid a gap in time between when there's a reference to an upcoming project in the GitHub codebase and the time at which we actually go live on npm. Perhaps this would force our hand to move to scoped namespaces in the future: https://docs.npmjs.com/misc/scope
,
Jul 9
https://github.com/GoogleChrome/workbox/pull/1570 will remove the reference to workbox-navigation-preload in the master branch of the GitHub repo, once it's merged. We never published anything that references workbox-navigation-preload to npm, so there's nothing to remediate there. In the short term, we could start squatting on our future npm project names (including whichever new name we choose for the Navigation Preload module) with an empty 0.0.1 release prior to committing anything to GitHub. And then there's https://docs.npmjs.com/misc/scope as a cleaner way of avoiding this.
,
Jul 9
Heya, no problem. If it can help, I can transfer the ownership of the package name to you. Preben
,
Jul 9
Thanks Jeffrey. Since there is no longer any immediate user risk I will close this, and suggest moving further discussion to a Github issue.
,
Jul 9
(https://github.com/GoogleChrome/workbox/pull/1570 is merged, and there's currently no active reference to workbox-navigation-preload in the master branch of the GitHub repo.) Thanks for offering to do the transfer, Preben! I would appreciate it just to avoid confusion, though it's not clear whether we'll actually go ahead with that package name. My npm account name is jeffposnick. We (the Workbox team) will take responsibility for following one of the options outlined in #4 for preventing a recurrence when the project adds more npm packages.
,
Jul 9
Sure, just transferred the ownership: https://www.npmjs.com/package/workbox-navigation-preload. Thanks Preben
,
Jul 10
Looks good—thanks again, Preben!
,
Oct 16
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by kenrb@chromium.org
, Jul 7Owner: addyo@chromium.org
Status: Assigned (was: Unconfirmed)