If this server allows auto-creation of users with arbitrary names, someone
could create user with "node_modules" name and cause trouble.
On the other hand, I used /home/node_modules folder to deliberately share
the same modules between different users. No... I'd say it is more useful
than risky.
// alex
On Saturday, April 27, 2013 4:27:21 PM UTC, Carlos wrote:
>
> From the docs:
>
> For example, if the file at '/home/ry/projects/foo.js' called
> require('bar.js'), then node would look in the following locations, in
> this order:
>
> - /home/ry/projects/node_modules/bar.js
> - /home/ry/node_modules/bar.js
> - /home/node_modules/bar.js [color added by me]
> - /node_modules/bar.js
>
> Maybe I'm paranoid. Ok, I am paranoid. But is there a potential for
> injection of untrusted code here? I mean, it's really unlikely that I
> would be running a node-based service on a machine I don't own-as-in-root.
> But suppose I have users, and one of them is using node to do whatever
> just because node is the coolest thing ever. Should she trust me not to
> have put something evil in /home/node_modules? I mean, I could be evil. I
> could dump the list of the top ten downloads from the npm registry and then
> run those module names through a typo predictor (This is insanely easy to
> automate, plus you have variations of foo, node-foo and foo-node which
> create even more open space for evil.) and seed /home/node_modules with
> compromised versions of the real thing. The next time Karen Koder does an
> 'npm install' on a new package file she might very well end up pulling
> compromised code. I'm not saying this is a big security risk. It's not.
> If it were, I would not be posting here. But I question whether this is
> really good design practice and suggest that maybe pulling code from other
> user directories is more risky than useful.
>
>
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
