All Vulnerability Reports

Warning about NPM modules


Severity

Advisory

Vendor

Node Package Manager (NPM)

Versions Affected

  • Pivotal Cloud Foundry Elastic Runtime
  • Cloud Foundry NodeJS Buildpack

Description

If your app developers deploy Node applications, we'd like to alert you to recent developments with NPM and module ownership in the Node community.

A blog post was published 3/22/16 explaining why Azer Koçulu (github handle @azer), the owner of many popular Node modules, had un-published all of his modules from NPM's public repository.

This un-publishing of modules left open the question of "ownership" for the module names, creating an opportunity for malicious actors to take over ownership of the module and publish a version of the module with malicious code.

At this moment, it's not clear whether any of the new owners of Azer's modules have malicious intent or have acted maliciously.

However, this is a great time to review how app developers on your Pivotal Cloud Foundry platform are packaging their applications, and see if those applications might be susceptible to running unexpected code.

Who Might be Susceptible?

If your app developers are vendoring their node modules, they are probably fine (unless they have pulled in a questionable module while vendoring since the unpublish event).

If your app developers are not using any of Azer's module, this particular unpublish event won't affect them. Unfortunately, it may not be easy to determine if this is the case.

To check if if an app is using any of the affected packages:

SSH into a running application container and check:

cf ssh <appname>
export HOME=/home/vcap/app 
cd $HOME 
source ~/.profile.d/nodejs.sh 
npm list

An app developer can then correlate results against Azer’s published list of unpublished modules. If any matches are found, it should be investigated whether the application was staged after Azer unpublished the node modules.

Mitigation

Azer is still maintaining modules on github, so an app developer may be able to point their packages.json to pull from the github repository directly, instead of NPM.

General instructions for declaring NPM dependencies are here.

As an example, kik could be pulled from github by declaring the dependency as:

...
  "dependencies": {
    "kik": "git://github.com/azer/kik",
  ...

However, Pivotal has encountered difficulties resolving all of a project's dependencies in this way, so unfortunately, mileage may vary.

Good Practices

If app developers are not vendoring their node modules, they should be advised to do so. This means that modules are resolved once, before push, and not during staging.

To ensure modules are vendored, before pushing run:

npm install # vendors into ./node_modules

Any subsequent cf push will upload your vendored dependencies as part of the application code, and the buildpack will not attempt to resolve and download these modules at staging time.

References