Security Issue about Namespacing


#1

I’m reading document and found:

If you want to look inside packages from inside your in-browser debugger, you’ve got two options:
If a package foo is included in your app, regardless of whether your app uses it directly, its exports are available in Package.foo. For example, if the email package is loaded, then you can access Package.email.Email.send even from namespaces that don’t use the email package directly.

If I use popular packages for my application, I think that a hacker can try to access the exports of the packages by using Web Console, and I think it will be very big problem in terms of security.

What do you guys think about that ?


#2

What kind of problem? Can you give an example?


#3

@Steve I’m not certainly sure, but for example, making the app strangely by controlling(add or remove attribute) the properties of the exports. Isn’t it possible ?


#4

A user will always be able to change client side code to break their application. But this won’t effect the server or other clients. There would only be a security issue if the library way exposing an API key or similar info, but as long as you keep these in the server directory this isn’t an issue.


#5

@entropy
So do you mean that it might not be problem except the data(API key, and similar info)?

And what happens
If a package publisher made a mistake to wrap exports which might affect other features ?

In this situation, I think that there is a possibility, that the users of the package do not know even the problem and it might cause security issue.

What do you think about this?


#6

I think it’s up to the dev to check for security faults - is that not true any time you’d use third-party code? And that goes for non-Meteor applications too.


#7

@TwinTails For the reason, I don’t use 3rd party lib much. Is there any way to check whether the exports having problem or not?


#8

As far as I know, there is no security issue pertaining to Meteor package system. @barkbaek, unless you give an example, there is not much we can discuss.


#9

@Steve I was just curious of that could be happened since reading about the exports from document.

I can’t give an example because my understanding is very shallow as a newbie.

I think that I have to read more article about packages. Anyway thank you for reply.


#10

@Steve Can you please suggest tutorials or best-practices about Writing Packages?


#11

Sorry, I am not a package expert. Maybe you can start with http://package-kitchen.meteor.com/.


#12

Thank you @Steve ! I will look around the link. :slight_smile:


#13

Not that I know of besides checking reported issues on the github page - you can write/use safeguards though.

The ongoworks:meteor-security package for example makes your app use deny only:

If you use a lot of community packages in your app, there is the possibility that one of them will add an allow function that returns true for a perfectly good reason, but if you are not aware of it, you may not even realize that your allow function is never being called, and your security logic is not being applied.

This package takes allow functions out of the equation and handles all security through deny functions, which are guaranteed to be called.


#14

Thank you @TwinTails ! I will try :smile: