jlpoolen
commented
2 years ago That this issue goes unaddressed by the project's maintainer is very disconcerting. I guess I'll look closer at other alternatives.
Closed pozzo-balbi closed 2 years ago
jlpoolen
commented
2 years ago That this issue goes unaddressed by the project's maintainer is very disconcerting. I guess I'll look closer at other alternatives.
ocdtrekkie
commented
2 years ago @jlpoolen As a note, statements like "I'll go elsewhere if you don't address this" towards open source maintainers tend not to offer much: You're not providing anything anyways, I assume.
I believe Audrey is fairly busy at present, EtherCalc hasn't seen a lot of active development of late.
Personally, I hadn't noticed this issue and find it intriguing, I may poke around it for curiosity's sake. I'm reasonably confident it doesn't impact the Sandstorm version but the Sandstorm version is also even older, so I'm curious when/where this started to occur.
jlpoolen
commented
2 years ago @jlpoolen As a note, statements like "I'll go elsewhere if you don't address this" towards open source maintainers tend not to offer much: You're not providing anything anyways, I assume.
I believe Audrey is fairly busy at present, EtherCalc hasn't seen a lot of active development of late.
Personally, I hadn't noticed this issue and find it intriguing, I may poke around it for curiosity's sake. I'm reasonably confident it doesn't impact the Sandstorm version but the Sandstorm version is also even older, so I'm curious when/where this started to occur.
I hope that if you find the project has not utilized "hacked dependencies" the ticket will be closed or the title which currently is "URGENT: Ethercalc using hacked depencencies?" will be revised.
Good luck on your venture!
ocdtrekkie
commented
2 years ago I haven't had time yet to actually download the NPM package, see if I can replicate the original poster's findings, and poke around the dependencies, but my best guess on what csdnimg.cn is would be the content CDN for https://en.wikipedia.org/wiki/Chinese_Software_Developer_Network
audreyt
commented
2 years ago I cannot reproduce this finding on either a local installation or the public instance. My best guess is that the @pozzo-balbi's environment is somehow preconfigured with csdn/tingyun instrumentation.
pozzo-balbi
commented
2 years ago Hi, no, I don't even know what csdn/tingyun is. My guess is that ethercalc is using so many dependencies that at some point in time one or more packages were doing things they were not suppose to have done. As one could see, the problem was mitigated client side, since my server had CSP configured. With the limited time I had, I did not find anything (commands find and grep) on the server.
Hi, I found
as you can see some strange blocked content in my fresh ethercalc installation. I searched with grep for "csdnimg.cn" but found nothing, hence my worries where did this come from.
Is some node.js package used as dependency hacked and some code in the background after some time tries to load malware?
Note, I am using the npm package of ethercalc.