Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify that the resolved URL references fetches the exact package it's nested under in the lockfile #113

Closed
fabioberger opened this issue Feb 16, 2022 · 2 comments · Fixed by #114
Closed

Verify that the resolved URL references fetches the exact package it's nested under in the lockfile #113

fabioberger opened this issue Feb 16, 2022 · 2 comments · Fixed by #114
Assignees
@fabioberger
Labels
enhancement New feature or request

Comments

@fabioberger
Copy link
Contributor

Is your feature request related to a problem? Please describe.

Yes. I realized that it's not very hard for an attacker to publish a package to a trusted repository, and therefore simply verifying that all packages are pulled from a trusted repository does not drastically increase the difficulty of performing an attack via lockfile modification. Instead of modifying the lockfile to resolve a dependency to a Github repo, they could simply modify it to point to a malicious package that they've published on a trusted repository.

Example of attack:

ms@^2.1.1:
  version "2.1.2"
  resolved "https://registry.yarnpkg.com/malicious-package/-/malicious-package-2.1.2.tgz#d09d1f357b443f493382a8eb3ccd183872ae6009"
  integrity sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==

Describe the solution you'd like

An additional check that would increase the difficulty significantly of an attack would be to check that the package being pulled from the trusted repository has the same name as that specified in the lockfile. That way, the attacker would be forced to compromise the legitimate package itself.

The solution I'm proposing is to add an additional verifier that checks that the package name in the lockfile key matches the package name in the resolved URL.

Describe alternatives you've considered
N/A
fabioberger added a commit to fabioberger/lockfile-lint that referenced this issue Feb 16, 2022
@fabioberger
feat: validate package name (lirantal#113)
8fe9238
fabioberger added a commit to fabioberger/lockfile-lint that referenced this issue Feb 16, 2022
@fabioberger
feat(cli arg): validate package names
b35a935 
Validate that the package names in resolved URLs match those specified in the lockfile keys

re lirantal#113
@fabioberger fabioberger mentioned this issue Feb 16, 2022
Merged
8 tasks
@fabioberger
Copy link
Contributor Author

@lirantal any feedback on this or the PR implementation?

@lirantal
Copy link
Owner

Thanks for the ping Fabio, let's take the discussion in the PR 👍🏼

@lirantal lirantal added the enhancement New feature or request label Feb 19, 2022
fabioberger added a commit to fabioberger/lockfile-lint that referenced this issue Mar 8, 2022
@fabioberger
feat(cli arg): validate package names
2b0d97a 
Validate that the package names in resolved URLs match those specified in the lockfile keys

re lirantal#113
@achrinza achrinza mentioned this issue Mar 13, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fabioberger fabioberger

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cli arg): validate package names fabioberger/lockfile-lint
2 participants
@lirantal @fabioberger