It’s on a first come, first served basis.īower doesn’t support GitHub-style namespacing (org/repo) The Bower registry does not have authentication or user management at this point in time. Additionally, there are a few points that make Bower very attractive to an attack: This comment explains the exact reasons why a package manager shouldn't have pre/post install functionality. This "feature" makes any project using bower directly vulnerable (like or or bower CDNs). Moreover bower is used not only by node projects. Also npm has checksums, packaged packages, projects like. Bower is different story as packages are executed only in web browser. With npm post-install is more acceptable (still bad idea) because you can't avoid executing javascript files on server. If hooks are implemented, they should be immediately reverted and deprecated. Bower is going to have publish command so pre-publish hook will be ok. A lot of people are depending on branches which can change in any moment (as well as tags btw.).Īs pointed out postinstall is also useless to post-process files as user environment is unknown and unpredictable. This is especially dangerous in case of bower as it doesn't use any checksums, or packaging. That's why it's impossible in tools like git to commit any hooks to repository. With them anyone is able to run arbitrary code on your computer and on your production machines. Allowing postinstall raises serious security issues. Sheerun commented on in a github issues discussion: There is a long discussion on github whether to allow pre- and post-install hooks similiar to the ones used in npm. In my thesis, I initially wanted to also attack the repositoriesĪnd found good reasons and obstacles to not include them in my attack. The critical differences that makes one package manager attackable and the other not. Plus: Flat learning curve to quickly develop a demo program in the target programming language.Ī good approach seems to be studying package managers that were found to be not vulnerable to typosquatting attacks and identify
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |