If she doesn't trust you, why is her code on your machine? Why don't you just compromise HER files directly in that case?
If you don't trust your infrastructure provider, then nothing can protect you. If you want defense-in-depth against accidental things like this, then make sure that you have local copies in node_modules of the things you want to use. On Sat, Apr 27, 2013 at 9:27 AM, Carlos <[email protected]> wrote: > From the docs: > > For example, if the file at '/home/ry/projects/foo.js' called > require('bar.js'), then node would look in the following locations, in this > order: > > /home/ry/projects/node_modules/bar.js > /home/ry/node_modules/bar.js > /home/node_modules/bar.js [color added by me] > /node_modules/bar.js > > Maybe I'm paranoid. Ok, I am paranoid. But is there a potential for > injection of untrusted code here? I mean, it's really unlikely that I would > be running a node-based service on a machine I don't own-as-in-root. But > suppose I have users, and one of them is using node to do whatever just > because node is the coolest thing ever. Should she trust me not to have put > something evil in /home/node_modules? I mean, I could be evil. I could > dump the list of the top ten downloads from the npm registry and then run > those module names through a typo predictor (This is insanely easy to > automate, plus you have variations of foo, node-foo and foo-node which > create even more open space for evil.) and seed /home/node_modules with > compromised versions of the real thing. The next time Karen Koder does an > 'npm install' on a new package file she might very well end up pulling > compromised code. I'm not saying this is a big security risk. It's not. > If it were, I would not be posting here. But I question whether this is > really good design practice and suggest that maybe pulling code from other > user directories is more risky than useful. > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
