POLA Would Have Prevented the Event-Stream Incident

# Mark Miller (5 years ago)

The npm / event-stream incident is the perfect teaching moment for POLA (Principle of Least Authority), and for the need to support least authority for JavaScript libraries. medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99 by Kate Sills (cc'ed) explains the point. The links at the end of Kate's article are worth following. In particular:

Securing EcmaScript, presentation to Node Security www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2 is my presentation explaining many of these issues prior to this particular incident.

At the recent (November 2018) tc39 meeting, I presented on the enhancements needed to support least authority for JavaScript modules and libraries, adequate to have prevented this incident.

Besides es-discuss news.ycombinator.com/item?id=18590116 would be a good place to discuss these issues.

The npm / event-stream incident is the perfect teaching moment for POLA
(Principle of Least Authority), and for the need to support least authority
for JavaScript libraries.
https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99
by Kate Sills (cc'ed) explains the point. The links at the end of Kate's
article are worth following. In particular:

Securing EcmaScript, presentation to Node Security
https://www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2
is
my presentation explaining many of these issues *prior to* this particular
incident.

At the recent (November 2018) tc39 meeting, I presented on the enhancements
needed to support least authority for JavaScript modules and libraries,
adequate to have prevented this incident.

Besides es-discuss
https://news.ycombinator.com/item?id=18590116
would be a good place to discuss these issues.

--
  Cheers,
  --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20181203/6c049d8c/attachment.html>

# Andrea Giammarchi (5 years ago)

It's a great read and it makes sense in some case, but it also reminds me too much how Android Apps, and their incremental permission model, work.

If an App had granted access to read or write files, and the company behind such App changes, or its developers change, the permission remains but what it is used for, becomes uncertain.

In that case, the Store supposed to be the filter to grant the new version of the app doesn't do anything malicious, and that is IMO what's missing in the npm world, which is more relevant than dropping global privileges, 'cause specially in the NodeJS world, most module need fs for a reason or another.

In those cases, POLA wouldn't make much of a difference, unless the permission is not for the usage the fs module, rather the directories such module should be able to crawl.

On the Web there are already various ways to secure the network, and CSP or CORS are just few. In NodeJS though, there are also native modules nobody looks even at their source code, and having a "trusted revision" per each version, open to every module author might be, as impractical as it sounds, the best option to avoid future issues.

I think the event-stream case showed many broken rings of the Open Source chain and no-one to blame for it 'cause such chain is knowingly broken but we're OK with it.

As mentioned in a tweet, since that "scandal" happened, people kept adding stars to projects I've officially deprecated, providing more recent, robust, and actively maintained alternatives.

Maybe I should just pass ownership of these modules (one of these has 13M downloads per months) and laugh at how much nobody learns anything from the past if something like event-stream happens again (no, I'm not planing to do that, but I often wonder if I should).

Best

It's a great read and it makes sense in some case, but it also reminds me
too much how Android Apps, and their incremental permission model, work.

If an App had granted access to read or write files, and the company behind
such App changes, or its developers change, the permission remains but what
it is used for, becomes uncertain.

In that case, the Store supposed to be the filter to grant the new version
of the app doesn't do anything malicious, and that is IMO what's missing in
the `npm` world, which is more relevant than dropping global privileges,
'cause specially in the NodeJS world, most module need `fs` for a reason or
another.

In those cases, POLA wouldn't make much of a difference, unless the
permission is not for the usage the `fs` module, rather the directories
such module should be able to crawl.

On the Web there are already various ways to secure the network, and CSP or
CORS are just few. In NodeJS though, there are also native modules nobody
looks even at their source code, and having a "trusted revision" per each
version, open to every module author might be, as impractical as it
sounds, the best option to avoid future issues.

I think the event-stream case showed many broken rings of the Open Source
chain and no-one to blame for it 'cause such chain is knowingly broken but
we're OK with it.

As mentioned in a tweet, since that "scandal" happened, people kept adding
stars to projects I've officially deprecated, providing more recent,
robust, and actively maintained alternatives.

Maybe I should just pass ownership of these modules (one of these has 13M
downloads per months) and laugh at how much nobody learns anything from the
past if something like event-stream happens again (no, I'm not planing to
do that, but I often wonder if I should).

Best Regards

On Tue, Dec 4, 2018 at 5:19 AM Mark Miller <erights at gmail.com> wrote:

> The npm / event-stream incident is the perfect teaching moment for POLA
> (Principle of Least Authority), and for the need to support least authority
> for JavaScript libraries.
>
> https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99
> by Kate Sills (cc'ed) explains the point. The links at the end of Kate's
> article are worth following. In particular:
>
> Securing EcmaScript, presentation to Node Security
>
> https://www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2 is
> my presentation explaining many of these issues *prior to* this particular
> incident.
>
> At the recent (November 2018) tc39 meeting, I presented on the
> enhancements needed to support least authority for JavaScript modules and
> libraries, adequate to have prevented this incident.
>
> Besides es-discuss
> https://news.ycombinator.com/item?id=18590116
> would be a good place to discuss these issues.
>
> --
>   Cheers,
>   --MarkM
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20181204/fa8fe66a/attachment.html>