POLA Would Have Prevented the Event-Stream Incident

# Mark Miller (2 years ago)

The npm / event-stream incident is the perfect teaching moment for POLA (Principle of Least Authority), and for the need to support least authority for JavaScript libraries. medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99 by Kate Sills (cc'ed) explains the point. The links at the end of Kate's article are worth following. In particular:

Securing EcmaScript, presentation to Node Security www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2 is my presentation explaining many of these issues prior to this particular incident.

At the recent (November 2018) tc39 meeting, I presented on the enhancements needed to support least authority for JavaScript modules and libraries, adequate to have prevented this incident.

Besides es-discuss news.ycombinator.com/item?id=18590116 would be a good place to discuss these issues.

# Andrea Giammarchi (2 years ago)

It's a great read and it makes sense in some case, but it also reminds me too much how Android Apps, and their incremental permission model, work.

If an App had granted access to read or write files, and the company behind such App changes, or its developers change, the permission remains but what it is used for, becomes uncertain.

In that case, the Store supposed to be the filter to grant the new version of the app doesn't do anything malicious, and that is IMO what's missing in the npm world, which is more relevant than dropping global privileges, 'cause specially in the NodeJS world, most module need fs for a reason or another.

In those cases, POLA wouldn't make much of a difference, unless the permission is not for the usage the fs module, rather the directories such module should be able to crawl.

On the Web there are already various ways to secure the network, and CSP or CORS are just few. In NodeJS though, there are also native modules nobody looks even at their source code, and having a "trusted revision" per each version, open to every module author might be, as impractical as it sounds, the best option to avoid future issues.

I think the event-stream case showed many broken rings of the Open Source chain and no-one to blame for it 'cause such chain is knowingly broken but we're OK with it.

As mentioned in a tweet, since that "scandal" happened, people kept adding stars to projects I've officially deprecated, providing more recent, robust, and actively maintained alternatives.

Maybe I should just pass ownership of these modules (one of these has 13M downloads per months) and laugh at how much nobody learns anything from the past if something like event-stream happens again (no, I'm not planing to do that, but I often wonder if I should).