>From the docs:
For example, if the file at '/home/ry/projects/foo.js' called
require('bar.js'), then node would look in the following locations, in this
order:
- /home/ry/projects/node_modules/bar.js
- /home/ry/node_modules/bar.js
- /home/node_modules/bar.js [color added by me]
- /node_modules/bar.js
Maybe I'm paranoid. Ok, I am paranoid. But is there a potential for
injection of untrusted code here? I mean, it's really unlikely that I
would be running a node-based service on a machine I don't own-as-in-root.
But suppose I have users, and one of them is using node to do whatever
just because node is the coolest thing ever. Should she trust me not to
have put something evil in /home/node_modules? I mean, I could be evil. I
could dump the list of the top ten downloads from the npm registry and then
run those module names through a typo predictor (This is insanely easy to
automate, plus you have variations of foo, node-foo and foo-node which
create even more open space for evil.) and seed /home/node_modules with
compromised versions of the real thing. The next time Karen Koder does an
'npm install' on a new package file she might very well end up pulling
compromised code. I'm not saying this is a big security risk. It's not.
If it were, I would not be posting here. But I question whether this is
really good design practice and suggest that maybe pulling code from other
user directories is more risky than useful.
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
