Open gavinking opened 7 years ago
I'm looking into this. I guess it has to do with NPM trying to install the modules to a place it has no write rights to.
I don't know much about npm (post install scripts, etc), but is this any easy way to run arbitrary code on the server?
Sounds like it, see npm-scripts(7)
. “Scripts are run by passing the line as a script argument to sh.” However, there is an --ignore-scripts
option to npm install
, so perhaps that’s enough to protect us?
@lucaswerkmeister I don't see that option --ignore-scripts
mentioned?
Oh wow, it seems any unknown command line parameter is automatically interpreted as setting a config option
I can see it in the npm-install
manpage on Node 6.8.1 (Arch), but not on 0.10.29 (Debian Jessie). Which version is running in production?
Yay! Finally got this to work. Unfortunately it needed a change in the JS compiler so this is for 1.3.2 when it is released.
@chochos you probably need to take a look at the change I made to make sure it's all correct.
Great!
Well, to be honest I'm not sure if this is going to work 100%. The module I tested (node-uuid
) works, but it's deprecated in favor of uuid
and that one doesn't work. Possibly because the latter is a multi-file module while the former is just a single file.
Yeah, that's the problem and all the solution people talk about are tools like Browserify to turn everything into a single file.
I just get an "Internal Server Error".
@quintesse WDYT, could we fix this?