-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
64 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,29 @@ | ||
| ### Tool/Technology 1 | ||
| ## Tools / Technology | ||
|
|
||
| List the aspects you learned, and the resources you used to learn them, and a brief summary of each resource. | ||
| ### Node Package Manager (`npm`) and Security Risks | ||
|
|
||
| ### Tool/Technology 2 | ||
| To preface, I of course knew about `npm` and how to use it (even before starting CS3281). However, I think it is definitely worth putting it here, because I have done some additional explorations into `npm` and matters of security revolving around `npm`. | ||
|
|
||
| ... | ||
| `npm` is a package manager for `Node.js` and is usually installed (by default) together with `Node.js`. I learnt about it when I first started learning about `Node.js` - this was about 4 years ago - during my Orbital project, where I built an entire frontend for a web application in React. Since then, I've created many React sites mindlessly with `create-react-app` and using `npm` for package management. Mainly because it just worked. I didn't need to know more about how these worked - I just needed to create a new app prototype quickly, and it was all there was to it. | ||
|
|
||
| Recently, I've been taking a bit more interest in how `npm` itself is managed. Within the last few years, I have heard of how `npm` vulnerabilities can be easily exploited, and that the whole system is extremely fragile. After some digging and reading up, here are some interesting details I have learnt: | ||
|
|
||
| - `npm` consists of over a million packages with various different functionalities. This means that it is entirely possible for a malicious actor to create a deceptive package and hide it within the sea of legitimate utility packages. | ||
| - There are multiple ways of embedding malicious code via `npm` packages. For instance, [here](https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm) are details on 9 sets of malicious code that were discovered by FortiGuard Labs in 2023. Broadly, some of these include: | ||
| 1. Extracting and uploading sensitive data such as configurations and SSH keys or source code, or fingerprinting details such as username or IP address, through a verbose, compacted `index.js` file. | ||
| 2. Hiding a webhook to extract sensitive system information and personal data, within the installation script `index.js` or `index.mjs`. | ||
| 3. Disabling TLS certificate validation through the installation script, hence making the connection insecure and vulnerable to man-in-the-middle attacks. | ||
| 4. Downloading automatically a malicious executable file to the local directory. | ||
| - There are some general ways to mitigate (keyword: mitigate, not eliminate) security risks with `npm`: | ||
| 1. Use dependency & version managers to keep the system updated. | ||
| 2. Use security scanning tools to detect known vulnerability in packages. | ||
| 3. Implement a package whitelist to only allow certain approved packages. | ||
| 4. Conduct regular backups and implement user access control. | ||
|
|
||
| The fact is, the above security risks mentioned are known to the public - and hence, I imagine that actual security risks and vulnerabilities will be far more insidious and difficult to find. After learning about this, I had a moment of epiphany. When I was younger, it seemed that `npm` and similar package managers (e.g. `pnpm` or `yarn` or `webpack`) were quite an impressive feat of software engineering. Now, while I still do share the same sentiment, it has been saddled with an additional layer of skepticism and cynicism. | ||
|
|
||
| Drama aside, it was cool to learn about security risks and vulnerabilities in `npm`, and how to manage it - it would be great to help reinforce this within MarkBind as well, since we have been neglecting that aspect for some time. Now that I know how some of these attacks work, I can see that it is indeed very possible for MarkBind to be used as an entryway for some of these attacks; just because MarkBind is a static site generator, does not mean that it cannot contain similar malicious code. | ||
|
|
||
| MarkBind Issue [#2607](https://github.com/MarkBind/markbind/issues/2607) and PR [#2608](https://github.com/MarkBind/markbind/pull/2608), both opened by me, represent an effort towards this direction. At least now, with [#2608](https://github.com/MarkBind/markbind/pull/2608) merged in, we don't have a critical vulnerability to deal with :) | ||
|
|
||
| (Possibly more to be added in as I explore `npm` and security risks) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| ## CS3282 Progress | ||
|
|
||
| ### Summary | ||
|
|
||
| As a CS3281 student in AY22/23 Semester 2, I have worked on various aspects of the user-oriented aspects of MarkBind, including CLI, template, and logging. Following from this, and adding on what I have learnt over the subsequent few semesters: | ||
|
|
||
| For CS3282, in AY24/25 Semester 2, I am focusing on the idea of "Usability" for both users and developers. Following from this theme, it would be great to help develop CLI, Templates, Logging, DevOps, and Documentation side of things, while also being mindful of how we approach UI/UX for components. | ||
|
|
||
| ### Pull Requests | ||
|
|
||
| | Week | Achievements | | ||
| | ---- | --------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | 1 | Discussion on PR: [Add Pagefind Plugin (#2568)](https://github.com/MarkBind/markbind/pull/2568) | | ||
| | 4 | Reviewed PR: [Update UG Node.js/npm instructions (#2589)](https://github.com/MarkBind/markbind/pull/2589) | | ||
| | 4 | Reviewed PR: [UG -> Add mcq question with multiple correct answers (#2591)](https://github.com/MarkBind/markbind/pull/2591) | | ||
| | 5 | Reviewed PR: [Fix broken annotation label (#2586)](https://github.com/MarkBind/markbind/pull/2586) | | ||
| | 5 | Merged PR: [Update UG Node.js/npm instructions (#2589)](https://github.com/MarkBind/markbind/pull/2589) | | ||
| | 5 | Reviewed PR: [Catch UncaughtException when serving in non-Markbind directories (#2592)](https://github.com/MarkBind/markbind/pull/2592) | | ||
| | 5 | Reviewed PR: [Add compiled dangerfile.js to .gitignore and .eslintignore (#2601)](https://github.com/MarkBind/markbind/pull/2601) | | ||
| | 5 | Merged PR: [Add compiled dangerfile.js to .gitignore and .eslintignore (#2601)](https://github.com/MarkBind/markbind/pull/2601) | | ||
| | 6 | Merged PR: [Fix broken annotation label (#2586)](https://github.com/MarkBind/markbind/pull/2586) | | ||
| | 6 | Merged PR: [Catch UncaughtException when serving in non-Markbind directories (#2592)](https://github.com/MarkBind/markbind/pull/2592) | | ||
| | 6 | Authored PR: [Remove discontinued `crypto-js` package (#2608)](https://github.com/MarkBind/markbind/pull/2608) | | ||
| | R | Merged PR: [Remove discontinued `crypto-js` package (#2608)](https://github.com/MarkBind/markbind/pull/2608) | | ||
|
|
||
| ### Issues / Discussions | ||
|
|
||
| | Week | Achievements | | ||
| | ---- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | 1 | Discussion on issue: [Better UI for copy button (#2581)](https://github.com/MarkBind/markbind/issues/2581) | | ||
| | 1 | Discussion on issue: [UG -> Getting Started: Make this section more user friendly (#2575)](https://github.com/MarkBind/markbind/issues/2575) | | ||
| | 2 | Discussion on issue: [Standardize and document steps wrt to GitHub teams and PR review procedure (#2073)](https://github.com/MarkBind/markbind/issues/2073) | | ||
| | 2 | Discussion on issue: [Update "Fix a bug" section of the Onboarding Bootcamp (#2585)](https://github.com/MarkBind/markbind/issues/2585) | | ||
| | 3 | Discussion on issue: [Inconsistent behavior with mcq questions allowing multiple correct answers (#2587)](https://github.com/MarkBind/markbind/issues/2587) | | ||
| | 6 | Discussion on issue: [DeprecationWarning The `punycode` module is deprecated. Please use a userland alternative instead. (#2485)](https://github.com/MarkBind/markbind/issues/2485) | | ||
| | 6 | Opened issue: [Resolve `npm` package vulnerabilities (#2607)](https://github.com/MarkBind/markbind/issues/2607) | |