quintesse
commented
7 years ago I'm looking into this. I guess it has to do with NPM trying to install the modules to a place it has no write rights to.
Open gavinking opened 7 years ago
quintesse
commented
7 years ago I'm looking into this. I guess it has to do with NPM trying to install the modules to a place it has no write rights to.
jvasileff
commented
7 years ago I don't know much about npm (post install scripts, etc), but is this any easy way to run arbitrary code on the server?
lucaswerkmeister
commented
7 years ago Sounds like it, see npm-scripts(7). “Scripts are run by passing the line as a script argument to sh.” However, there is an --ignore-scripts option to npm install, so perhaps that’s enough to protect us?
quintesse
commented
7 years ago @lucaswerkmeister I don't see that option --ignore-scripts mentioned?
quintesse
commented
7 years ago Oh wow, it seems any unknown command line parameter is automatically interpreted as setting a config option
lucaswerkmeister
commented
7 years ago I can see it in the npm-install manpage on Node 6.8.1 (Arch), but not on 0.10.29 (Debian Jessie). Which version is running in production?
quintesse
commented
7 years ago Yay! Finally got this to work. Unfortunately it needed a change in the JS compiler so this is for 1.3.2 when it is released.
@chochos you probably need to take a look at the change I made to make sure it's all correct.
gavinking
commented
7 years ago Great!
quintesse
commented
7 years ago Well, to be honest I'm not sure if this is going to work 100%. The module I tested (node-uuid) works, but it's deprecated in favor of uuid and that one doesn't work. Possibly because the latter is a multi-file module while the former is just a single file.
quintesse
commented
7 years ago Yeah, that's the problem and all the solution people talk about are tools like Browserify to turn everything into a single file.
I just get an "Internal Server Error".
@quintesse WDYT, could we fix this?