Developer's perspective on security

v2

@naugtur, meet.js Summit, 2019

## I'm not a hacker

My first 5 lines of JavaScript ever ```js function kill(){ setTimeout('kill',0) setTimeout('kill',0) } kill() ``` breaks Windows pre XP SP2

Now to the point

### Make it harder for the hacker > In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability (...)

## Development Hardening - no hacking knowledge required - introduce new tools and practices - close big gaps with little effort

### you are still responsible for your code

# Ok, so what's the threat

Injections

Malicious packages

Data theft

XSS

CSRF

RCE

RegExp DoS

Wait, did he say
Mongodb injections?


                    Collection.find(req.query)

?id=1

?$where=sleep(20000)

Source: Node.js Interactive talk

Now to the point (again)

### dev hardening with NPM workflows

Ok, I must say this. ## Don't use `eval`

### Someone to shout at you ``` npm install --save-dev eslint-plugin-security ``` Disabling this warning is ok ``` 3:18 warning Function Call Object Injection Sink ```

### Or is it? ```js // node.js const request = require("request") const method = ??? const payload = "console.log('pwnd')" request[method](payload)(); // prints 'pwnd', but how? ```

### eval, eval everywhere ```js const request = require("request") const method = "constructor" const payload = "console.log('pwnd')" request[method](payload)(); ```

### postinstall scripts `npm install ` is a RCE

### don't run them! ``` npm install --ignore-scripts ``` If you have to compile some packages ``` npm i -D allow-scripts allow-scripts ``` runs only install scripts of packages listed as trusted in package.json

#### or run them and avoid consequences Never run `npm install` in production. ```yml script: - npm ci artifacts: paths: - node_modules/ expire_in: 24h ```

### audit dependencies! ## `npm audit fix`

Story time

Integrations team at Egnyte

>30 apps

mass maintenance

### We want audit in CI - run audit check in CI - manage your security decisions - no demo-day hangovers - npm-audit-resolver

### npm audit resolver Wrapper for `npm audit` in CI ``` check-audit ``` Tool to manage your security decisions ``` resolve-audit resolve-audit --yarn ```

npm audit resolver



                        $ resolve-audit 
                        lodash needs your attention.
                        
                        [ low ] Prototype Pollution
                        vulnerable versions <4.17.5 found in:
                        -  devDependencies: lodash
                        f) fix with npm install lodash 
                        d) show more details and ask me again
                        r) remind me in 24h
                        i) ignore paths
                        del) Remove all listed dependency paths
                        s) Skip this
                        q) Quit                   
                        What would you like to do?

### npm audit resolver - RFC is open to add it to `npm audit`. - Extracted core -> can be added to any package manager's audit command. - Now with experimental yarn support. You can use it now Feedback welcome!

## All together now! ```yml script: - npx -p eslint -p eslint-plugin-security eslint src/ - npm ci --only=production --ignore-scripts - npx allow-scripts - npx -p npm-audit-resolver check-audit artifacts: paths: - node_modules/ expire_in: 24h ``` - [gitlabci-job-prototypes](https://www.npmjs.com/package/gitlabci-job-prototypes) - [secure-dependencies](https://www.npmjs.com/package/secure-dependencies) package can help if you're not on docker etc.

## Prevent XSS exploitation Content Security Policy - [content-security-policy.com](https://content-security-policy.com/) - [approachable docs on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) - [my talk from 2014!](https://naugtur.pl/pres2/csp/) Just a header to add to your app

### How to deploy CSP in a large legacy app - `Content-Security-Policy-Report-Only` at first - deploy with desired policy - see what would fail - fix app or loosen the policy - switch to `Content-Security-Policy`

## Serious tooling for code security in Node.js If you still don't trust your dependencies, look into those. [module-keys](https://www.npmjs.com/package/module-keys) [node-sec-patterns](https://www.npmjs.com/package/node-sec-patterns) And potentially other tools from [mikesamuel](https://www.npmjs.com/~mikesamuel)

## Bonus Node.js package network access control [package-firewall](https://www.npmjs.com/package/package-firewall) - Experimental tool for checking which packages access network - I wrote it yesterday, no kidding - Please try it on your app - Let me know if you can hack around it ### Don't rely on it, it's an experiment

@naugtur

Look for slides here: naugtur.pl

I also do training...

naugtur.pl/training

# thx!