That's fair, Isaac, to a point. We all have to trust someone and it comes down to ratios of risk/reward. I just don't like the idea of cross-user account contamination. The real risk may be very low, but the benefits are even smaller. If anyone is using /home/node_modules on purpose I would be a little surprised. Just my 2 cents, and I don't expect anything to change. But maybe this thread will encourage more ppl to read the docs. :)
Thanks On Apr 27, 2013 10:30 AM, "Isaac Schlueter" <[email protected]> wrote: > If she doesn't trust you, why is her code on your machine? Why don't > you just compromise HER files directly in that case? > > If you don't trust your infrastructure provider, then nothing can > protect you. If you want defense-in-depth against accidental things > like this, then make sure that you have local copies in node_modules > of the things you want to use. > > > On Sat, Apr 27, 2013 at 9:27 AM, Carlos <[email protected]> wrote: > > From the docs: > > > > For example, if the file at '/home/ry/projects/foo.js' called > > require('bar.js'), then node would look in the following locations, in > this > > order: > > > > /home/ry/projects/node_modules/bar.js > > /home/ry/node_modules/bar.js > > /home/node_modules/bar.js [color added by me] > > /node_modules/bar.js > > > > Maybe I'm paranoid. Ok, I am paranoid. But is there a potential for > > injection of untrusted code here? I mean, it's really unlikely that I > would > > be running a node-based service on a machine I don't own-as-in-root. But > > suppose I have users, and one of them is using node to do whatever just > > because node is the coolest thing ever. Should she trust me not to have > put > > something evil in /home/node_modules? I mean, I could be evil. I could > > dump the list of the top ten downloads from the npm registry and then run > > those module names through a typo predictor (This is insanely easy to > > automate, plus you have variations of foo, node-foo and foo-node which > > create even more open space for evil.) and seed /home/node_modules with > > compromised versions of the real thing. The next time Karen Koder does > an > > 'npm install' on a new package file she might very well end up pulling > > compromised code. I'm not saying this is a big security risk. It's not. > > If it were, I would not be posting here. But I question whether this is > > really good design practice and suggest that maybe pulling code from > other > > user directories is more risky than useful. > > > > -- > > -- > > Job Board: http://jobs.nodejs.org/ > > Posting guidelines: > > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > > You received this message because you are subscribed to the Google > > Groups "nodejs" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected] > > For more options, visit this group at > > http://groups.google.com/group/nodejs?hl=en?hl=en > > > > --- > > You received this message because you are subscribed to the Google Groups > > "nodejs" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to a topic in the > Google Groups "nodejs" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/nodejs/5BGr5dliUIk/unsubscribe?hl=en. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
