From owner-freebsd-security@FreeBSD.ORG Mon Mar 16 20:05:54 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4DF7AA1F for ; Mon, 16 Mar 2015 20:05:54 +0000 (UTC) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1E024C1B for ; Mon, 16 Mar 2015 20:05:53 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 1058C211A3 for ; Mon, 16 Mar 2015 16:05:51 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Mon, 16 Mar 2015 16:05:53 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=36982QP9z3myea1+ZgtUxGqp w+g=; b=R46z33suQ2pihaTjPEyxbznVGCOaJ7cFCT8SlRsBEJl7HeULGBYsHONO vSsGkoSdXhWhG60Po2abidgVWkAcODhshBjtijXOEZXzn335tp5ftcCIRarEj4ZV QC6g0yhwULNnMgh31hvKjmah9HWMPnnWnMTl3Ptkh9631JdvyRg= Received: by web3.nyi.internal (Postfix, from userid 99) id DCFCF10A097; Mon, 16 Mar 2015 16:05:52 -0400 (EDT) Message-Id: <1426536352.4157462.241176113.7D625599@webmail.messagingengine.com> X-Sasl-Enc: MB+lWWSGLWzp9aJOXckhnADWoczHSMVzBXstlAA8ISfg 1426536352 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-15db86eb In-Reply-To: <55073593.50108@rawbw.com> References: <55073593.50108@rawbw.com> Subject: Re: npm doesn't check package signatures, should www/npm print security alert? Date: Mon, 16 Mar 2015 15:05:52 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2015 20:05:54 -0000 On Mon, Mar 16, 2015, at 14:57, Yuri wrote: > www/npm downloads and installs packages without having signature > checking in place. > There is the discussion about package security > https://github.com/node-forward/discussions/issues/29 , but actual > checking isn't currently done. > > Additionally, npm allows direct downloads of GitHub projects without any > authenticity checking or maintainer review, see documentation > https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install > githubname/reponame' can also be easily confused with the official > package name. Random GitHub projects can contain code without any > guarantees. > > I think there is the risk that some malicious JavaScript code can be > injected through the MITM attack, and server side JavaScript is a fully > functional language. > > Shouldn't www/npm at least print a security alert about this? It > probably shouldn't be used on production systems until package > authentication is in place. > > Yuri > This would require FreeBSD to modify npm code to inject this message, correct? Or do you just want a post-install message when the package is installed to remind FreeBSD users about it? It seems to me a scary warning patch should be sent upstream.