Malicious Package: An attacker authors a malicious package and publishes it on NPM so that WebWriter can find it. The user installs it and a script is executed on the user machine.
1a. Typo-squatting/Trojan: An attacker typo-squats an existing widget package and copies the metadata to appear the same.
Dependency chain attack: An attacker gains control of a package that widget packages depend upon, leading to the same issues as (1).
Package Spam: An attacker may publish spam packages that get picked up by WebWriter and are displayed to authors. This may even happen unintentionally if the webwriter-widget keyword is used.
Mitigations:
[x] Do not execute scripts on package installation (--ignore-scripts) -> This would allow malicious package to execute arbitrary code. (mitigates 1, 2)
[ ] Deny installation if lockfile and package.json differ (--frozen-lockfile) -> This makes builds deterministic and avoids security issues introduced by updates anywhere in the dependency tree (mitigates 2) BUT introduces the burden of consistent lockfiles on developers
[ ] Publish an allowlist and hide results not on the allowlist by default, e.g. allowing by organization name (mitigates 3) BUT adds a maintenance burden
Widgets are distributed as NPM packages, and WebWriter installs these packages on the user's machine using a package manager. As such, all scenarios and mitigations of NPM packages in general apply. https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html
Scenarios:
webwriter-widgetkeyword is used.Mitigations:
--ignore-scripts) -> This would allow malicious package to execute arbitrary code. (mitigates 1, 2)--frozen-lockfile) -> This makes builds deterministic and avoids security issues introduced by updates anywhere in the dependency tree (mitigates 2) BUT introduces the burden of consistent lockfiles on developers