An interesting read for web developers: how hard is to (not) add malware to your site? David Gilbertson tried to answer this question for node.js and npm but the approach is potent for other package-dependency hells as well.
The malicious code itself is very simple
Of course, when I first wrote this code, back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site.
XSS is too small scale, and really well protected against.
Chrome Extensions are too locked down.
Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
People love pretty colours — it’s what separates us from dogs — so I wrote a package that lets you log to the console in a any colour. (sic)
I was excited at this point — I had a compelling package — but I didn’t want to wait around while people slowly discovered it and spread the word. So I set about making PRs to existing packages that added my colourful package to their dependencies.
I’ve now made several hundred PRs (various user accounts, no, none of them as “David Gilbertson”) to various frontend packages and their dependencies. “Hey, I’ve fixed issue x and also added some logging.”
Look ma, I’m contributing to open source!
There are a lot of sensible people out there that tell me they don’t want a new dependency, but that was to be expected, it’s a numbers game.
Of course it's all fiction written with a spicy pinch of nastiness but the described attack vectors seem all too real. What's your take on the matter? How do you hold the line there with all the dependencies which inevitably come (sooner or later) to a "professional" web site?
Or you can discuss it from user perspective. Have you tried Noscript with PayPal, Amazon, eBay etc. ?
(Score: 2) by The Mighty Buzzard on Thursday January 11, @11:47AM
Given all the fun I've had with external dependencies over the years (I started Linux on Slackware), I try to avoid them when possible. Unless there's a damned good case for a package being included at all, it doesn't get included. If its functionality is crucial and it's something I can write myself without wasting huge amounts of time, I write it myself.
That's professional coding though. I don't put the same level of scrutiny on say a personal IRC bot that I don't really give two shits if it has to die from unmaintained or insecure dependencies. Writing my own libraries just because I can hasn't been something that has excited me for a long time now.
(Score: 1, Insightful) by Anonymous Coward on Thursday January 11, @12:03PM (3 children)
Don't allow javascript. problem solved
(Score: 0) by Anonymous Coward on Thursday January 11, @12:18PM
I allowed a script and I liked it.
(Score: 2) by Nerdfest on Thursday January 11, @01:29PM (1 child)
This really isn't limited to JavaScript. Any language that support the external dependency management is susceptible to it. Java for web back-end and desktop, certainly, and there are others. It's one of the dangers of *any* external dependency.
(Score: 2) by Arik on Thursday January 11, @02:37PM
Support a clear line between documents and programs.
The web is a web of documents. Quit blurring the lines and this problem goes away.
"Unix? These savages aren't even circumcised!"
(Score: 0) by Anonymous Coward on Thursday January 11, @12:54PM (1 child)
you get to the site, all sources of scripts get listed, you click temp trusted (second icon) to the ones that look less alien, starting from the subdomains, and try if the site works.
When you have scripts loading other scripts, or more than 10 distinct sources, it's better you leave for other sites altogether. If you need those sites browse through a vm. In fact all browsing should be done in a VM in $current_year IMHO
(Score: 0) by Anonymous Coward on Thursday January 11, @02:39PM
> In fact all browsing should be done in a VM in $current_year IMHO
That's for $current_year-1. In $current_year you get Meltdown/Spectre-type vulnerabilities that can sniff data over VM boundaries.
(Score: 0) by Anonymous Coward on Thursday January 11, @01:51PM
I normally have Javascript disabled while ordering from Amazon. It works fine.
(Score: 1, Informative) by Anonymous Coward on Thursday January 11, @02:07PM
Any company using Facebook as a context vector is redponisable for all damage including tracking by Facebook.
Any website not selecting the correct and only package that are needed are responsible too.
It falls under “knowing or should have known” in the court case.
(Score: 1, Informative) by Anonymous Coward on Thursday January 11, @02:19PM
What can be static content has to be static content
Everything dynamic is done server side (so no offloading to the client to save electricity bill, the dirty secret nobody talks about)
Server root tree is on a read-only share, if user submitted content exist it needs to be vetted/resaved and go to another tree that does not allow dynamic content
But ofc that's not what we get, we get websites that require JS for basic link functionality and inane stuff like dynamic sizing, because % weights and anchor tags are apparently not hip and trendy (H.I.V. and tendy) enough for 2018
(Score: 0) by Anonymous Coward on Thursday January 11, @02:46PM
How to not add malware to your website: Easy. Don't add crap from untrusted sources to your website.
How to prevent others from adding malware to your website: Easy. Don't allow others to add stuff to your website.
(Score: 2) by bradley13 on Thursday January 11, @03:00PM
I really dislike unnecessary dependencies. Which is generally to say: I dislike it, when people add frameworks. They often want one little convenience method, which happens to be offered in some OSS framework containing hundreds of classes. Which itself may bind in 2-3 other frameworks or OSS packages, which may have further dependencies of their own.
And you have no clue what any of it does, because you just wanted that one little thing.
Just now, I'm in the process of grading dozens of semester-long student projects. Pretty substantial things: client-server applications. You can see the difference: some of them come in sleek: a few thousand lines of code, a few hundred kb. Three of them are over 100 times as large as that - over 100MB. I haven't looked into the "why" just yet, but it's a fair bet that I'll find a bunch of external libraries, among other sins.
Big companies are really bad about this, on their web pages. As discussed in the comments on another article: that's the reason their home pages are so huge: all the damned JS libraries they depend on, usually for no good reason.
Everyone is somebody else's weirdo.
