avatarRakia Ben Sassi

Summarize

Web Development

GitHub Discovered 7 Vulnerabilities in NodeJS — What Does This Mean For You?

A walkthrough of the vulnerabilities and the recommendations for users

Image by methodshop from Pixabay

A year ago, GitHub, that already belongs to Microsoft since 2018, took over the JavaScript package manager npm. On September 8, 2021, the company has acknowledged seven vulnerabilities in the tar and @npmcli/arborist Node.js packages.

Today, we’ll explore what these vulnerabilities are, what they mean, and what you should do to avoid being affected and protect your projects. But before we start, let’s tackle what tar and @npmcli/arborist packages exactly are.

What Is Tar?

tar is an API that is created to simulate the behavior of tar(1) on Unix systems.

A “tar file” or “tarball” is an archive of file system entries, like directories, files, and links. The name comes from “tape archive”. If you run man tar on a Unix command line, you'll get more details like the following ones:

tar(1) manual: The output of running “man tar” command on Mac (screenshot by author)

tar has 5 main top-level commands:

  • c to create an archive.
  • r to replace entries within an archive.
  • u to update entries within an archive.
  • t to list out the contents of an archive.
  • x to extract an archive to disk.

There are other flags and options that change how these top-level commands work.

Developers download tar tens of millions of times a week since it’s used to extract and install npm packages and serves as the core dependency of thousands of other projects beyond the npm CLI.

What Is Arborist?

@npmcli/arboristis a core dependency of the npm CLI and is used to manage node_modules trees.

@npmcli/arborist at the left (arborist image source, right image by author)

The node_modules folder is in fact a dependency graph rather than a dependency tree. Because the relationships between the packages you use in your project are, in reality, a graph that has cycles and overlapping connections.

The package manager considers the dependency constraints declarations, finds a graph that solves the constraints, and then reifies that graph onto a disk. The modules on disk look like a discrete tree of files that the program will load at runtime and create a graph from them.

The role of Arborist is to build the tree that satisfies the dependency graph.

“The tree building approach builds upon the “maximally naive deduplication” approach developed by Rebecca Turner when npm v3 introduced up-front deduplication, but adds two new features.

In a nutshell, maximally naive deduplication starts from a given node in the tree (typically the root node), and creates a queue of dependencies that are currently missing or invalid. Then, for each, it starts from the node’s node_modules folder, walks up the tree towards the root to find the shallowest placement location that does not cause any conflicts. The newly placed node is added to the queue so its dependencies can be placed, and the process continues.” — Arborist Deep Dive

Example of npm dependencies tree (image by author)

What Are The Vulnerabilities and What They Mean?

GitHub has acknowledged 7 Common Vulnerabilities and Exposures (CVEs) related to tar and @npmcli/arborist, and 4 of them are for the npm CLI:

The npm CLI should ensure that the contents of a package only end up in the corresponding folder within the node_modulesdirectory hierarchy when it’s installed. However, some of the security vulnerabilities could exceed this limit.

If tar is used to extract untrusted tar files and npm CLI is used to install untrusted npm packages under certain file system conditions, this may lead to overwritten files and unexpectedly/arbitrary code execution, even if you are using the --ignore-scripts flag to prevent the processing of package lifecycle scripts.

Recommendations for Users

On July 29, 2021, GitHub started blocking publishing npm packages with symbolic links, hard links, or absolute paths.

It has also introduced fixes for the vulnerabilities and sent 16.7 million Dependabot alerts and 1.8 million notifications to possibly affected users.

  • GitHub recommends an upgrade of the npm CLI to version 6.14.15, 7.21.0, or higher.
  • If you use a tar dependency, you need to update to version 4.4.19, 5.0.11, 6.1.10, or higher.
  • Because of the deprecation of the v3 branch of tar, you should use v6.
  • The npm team has also responded with a tweet asking npm users to update Node.js to version 12, 14, or 16 or npm to version 6 or 7, and update any dependency you may have on tar.

You can find more details regarding all CVEs on the GitHub blog.

🧠💡 I write about engineering, technology, and leadership for a community of smart, curious people. Join my free email newsletter for exclusive access or sign up for Medium here.

You can check my video course on Udemy: How to Identify, Diagnose, and Fix Memory Leaks in Web Apps.

Programming
Software Development
JavaScript
Technology
Startup
Recommended from ReadMedium