chore: implement OWASP recommendation for package

stephenyeargin / hubot-grafana

📈🤖 Query Grafana dashboards

http://docs.grafana.org/tutorials/hubot_howto/

MIT License

154 stars 48 forks source link

chore: implement OWASP recommendation for package #163

Closed KeesCBakker closed 1 year ago

KeesCBakker commented 1 year ago

Last week I had a security incident in which I uploaded something to NPM that should not have been uploaded. Because we had both a .gitignore AND an .npmingore file, the .gitignore was actually ignored. When reviewing the OWASP guidelines, I saw the recommendation that it is better to work with an explicit whitelist, instead of a blacklist (https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html#1-avoid-publishing-secrets-to-the-npm-registry).

I've removed the .npmignore and added the files to the files property of the package.json. This prevents us from leaking information accidentally.

KeesCBakker commented 1 year ago

Another good practice to adopt is making use of the files property in package.json, which works as a whitelist and specifies the array of files to be included in the package that is to be created and installed (while the ignore file functions as a blacklist). The files property and an ignore file can both be used together to determine which files should explicitly be included, as well as excluded, from the package. When using both, the former the files property in package.json takes precedence over the ignore file.

KeesCBakker commented 1 year ago

So this fixes #159 in a better way.

KeesCBakker commented 1 year ago

Tree is now:

kz@LP545:/mnt/c/projects/hubot-grafana$ tar tf hubot-grafana-4.1.1.tgz | tree --fromfile .
.
└── package
    ├── CONTRIBUTING.md
    ├── LICENSE
    ├── README.md
    ├── index.js
    ├── package.json
    └── src
        └── grafana.js

2 directories, 6 files
kz@LP545:/mnt/c/projects/hubot-grafana$

KeesCBakker commented 1 year ago

@stephenyeargin, how does this work? I just merge it and you take care of the version number?

stephenyeargin commented 1 year ago

Yep. I have on my TODO list to automate releases with GitHub Actions. Currently it uses a package called release-it which handles semantic versioning, sending it to NPM and creating the changelog.

KeesCBakker commented 1 year ago

Ah cool, maybe we can use the same thing Joey uses here: https://github.com/hubot-friends/hubot-slack/pull/21#issuecomment-1664244776