I recently came across an amazing post that really emphasizes the dangers associated with installing npm packages. It seems that every week a new supply chain attack occurs.
In my opinion, the existing solutions for this don't quite cut it so I decided to create a library which provides runtime protection for Node. It currently protects against:
- Unauthorized file system access
- Unauthorized network access
- Unauthorized command execution - (by way of exec/spawn)
I just released the first beta version of the library and I'd love to hear what you guys think.
Note: Protection is still missing for post/pre install scripts, but that's up next.
Firstly, congrats on the release! With recent events, something like this seems like it could be valuable.
I will kind of jump in to the obvious thing first here though: the offer is tooling around dependency security in the npm ecosystem with a package users will install from npm.
Granted, vetting one package that works to vet others helps reduce the surface area to something manageable, and that’s a good thing, but I’m curious about how you’re thinking about the chicken-egg scenario that this introduces. What assures users that malicious code doesn’t seep its way into this package as it’s seeped into others?Reply
Cool idea -- in some ways this "deno"-fies node, which I think is a sensible approach.
So far, Hagana only blocks outbound traffic from packages that are using the http or https modules. Support for other modules (e.g. net, dgram, dns) is coming soon.
This could be a problematic approach, though. If you are going OSS and do want to become ubiquitous, you will likely need much stronger protections. Obfuscation is not a path to security but blocking only some very basic vectors and then being explicit about it will have attackers adopt other similar vectors.
All in all, a cool first attempt at building with some work to do!Reply