Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security question regarding loading code from remote URLs #5153

Closed
ahungry opened this issue May 8, 2020 · 5 comments
Closed

Security question regarding loading code from remote URLs #5153

ahungry opened this issue May 8, 2020 · 5 comments

Comments

@ahungry
Copy link

ahungry commented May 8, 2020

While its a neat feature, to load scripts as if they were in a web browser, in the examples I've come across, I didn't see anything similar to the javascript 'integrity' attribute to ensure the remote source code matches the loaded remote code.

Does Deno have such a feature? If so, disregard the rest - if not, my question is as such:

Lets say some deno code (Package A) exists in the wild, that depends on deno scripts from:

https://ahungry.com/deno-package.ts (this could be example.com, but I'm not sure that does expire)

Unlike a central repository similar to npm (which has its own problems), domain names are not permanent, and are time expired.

If ahungry.com was to expire, and a malicious actor then registered it, and hosted a malicious deno-package.ts script on their remote end, a problem arises - how does Deno ensure the user doesn't run this altered code?

If this is not the first time the user has executed Package A, perhaps its not going to be an issue until the user runs the deno upgrade (remote packages) command, at which point Deno could detect the TLS fingerprint of the remote is now different.

But, for a first time user of Package A, that has never run 'deno' before, and therefore has no hidden cache of deno packages - wouldn't it eagerly pull in and execute this code?

NPM is not suspect to this same problem, unless they expired npm packages yearly and were to allow anyone to claim other's slots after this time period (which would seem ridiculous in the context of package hosting).
@nayeemrmn
Copy link
Collaborator

Duplicate of #200. Deno has lock files.

For questions or if you're unsure, try the community chat room https://discord.com/invite/TGMHGv6 first.

Also, you're capable of closing #5152 and this.

@ahungry
Copy link
Author

ahungry commented May 8, 2020

I think this is in the same ballpark, but a different question - the solutions / discussion in that thread only tend to revolve around scenarios where "Package A" in my example has been run before.

If someone pulls in my Package A, it doesn't seem like there is a way to tell the user to include Package A and a lockfile to go with my Package A, as deno wants to treat all the package handling hidden from the user?

@ahungry
Copy link
Author

ahungry commented May 8, 2020

Anyways, I'll chime in there with this comment and close this one, ty for the discord link.

@ahungry ahungry closed this as completed May 8, 2020
@ahungry
Copy link
Author

ahungry commented May 8, 2020

Actually this should be opened still, as I didn't see a solid answer and the one you linked is itself closed.

@ahungry ahungry reopened this May 8, 2020
@ry
Copy link
Member

ry commented May 9, 2020

lock file solves this issue.

> deno run --help
[...]
        --lock <FILE>
            Check the specified lock file

        --lock-write
            Write lock file. Use with --lock.

@ry ry closed this as completed May 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ry @ahungry @nayeemrmn