ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6505/docker/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

84 lines
2.0 KiB
Plaintext
Raw Blame History

When installing dependencies, package managers like ``++npm++`` will
automatically execute shell scripts distributed along with the source code.
Post-install scripts, for example, are a common way to execute malicious code
at install time whenever a package is compromised.
== Ask Yourself Whether
* The execution of dependency installation scripts is required for the application to function correctly.
There is a risk if you answered no to the question.
== Recommended Secure Coding Practices
Execution of third-party scripts should be disabled if not strictly necessary
for dependencies to work correctly.
Doing this will reduce the attack surface and block a well-known supply chain
attack vector.
Commands that are subject to this issue are: `npm install`, `yarn install` and `yarn`
(`yarn` without an explicit command will execute `install`).
== Sensitive Code Example
[source,docker,diff-id=1,diff-type=noncompliant]
----
FROM node:latest
# Sensitive
RUN npm install
----
[source,docker,diff-id=2,diff-type=noncompliant]
----
FROM node:latest
# Sensitive
RUN yarn install
----
== Compliant Solution
[source,docker,diff-id=1,diff-type=compliant]
----
FROM node:latest
RUN npm install --ignore-scripts
----
[source,docker,diff-id=2,diff-type=compliant]
----
FROM node:latest
RUN yarn install --ignore-scripts
----
== See
* CWE - https://cwe.mitre.org/data/definitions/506[CWE-506 - Embedded Malicious Code]
* CWE - https://cwe.mitre.org/data/definitions/829[CWE-829 - Inclusion of Functionality from Untrusted Control Sphere]
* https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/[ESLint blog] - Postmortem for Malicious Packages Published on July 12th, 2018
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Omitting `--ignore-scripts` can lead to the execution of shell scripts. Make sure it is safe here.
=== Highlighting
Highlight the command and the subcommand if the latter is present.
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink