Open RafaelGSS opened 2 months ago
How would you envision it being used? Since legitimate postinstall scripts often are about building native packages, they end up executing code in a way that the Node permission model wouldn't apply.
How would you envision it being used? Since legitimate postinstall scripts often are about building native packages, they end up executing code in a way that the Node permission model wouldn't apply.
In case of building native packages, it will be denied, yeah. I was imagining a specific use case where a Node.js script is run. Do you see another use case for this? Either during the package installation or the module usage itself
On the top of my head I don't see a lot of use cases for Node.js-based postinstall scripts - afaik the two categories in the wild are:
optionalDependencies
, since it integrates with the cache and lockfile. So we don't really want to encourage that.So limiting the scope of Node.js scripts during postinstall isn't that impactful imo: in most cases users will be better served by disabling the postinstall entirely (if it's an ad), or running it with full permissions (if it's a compiled package).
With that said I think it could be interesting to discuss how to make yarn run
secure the processes it starts - while I'm afraid postinstall is kind of an unfortunate evil, I could imagine us setting up a jail in yarn run
so that transitive dependencies of your scripts (especially those which don't define a postinstall scripts, and thus have less scrutiny) can't compromise the user.
Hi folks,
As part of Permission Model initial roadmap (https://github.com/nodejs/security-wg/issues/898), we would like to discuss how Permission Model can be used by package managers to prevent (partially) supply chain attacks, mostly through
postinstall
scripts.If you install a package containing a 'postinstall' script that attempts to compromise the filesystem somehow, the permission model can act and prevent it. Considering this is an experimental feature, I suggest having it behind a flag as well when using package managers.
cc: @nodejs/npm @arcanis