On 07/08/2013 07:55 AM, Jérémy Lal wrote: > I am curious about how `npm install mymodule` could be a target for an > attacker, > especially considering the temp directory is used only once (at (un)tar > times).
if the tmpdir is predictably-named (e.g. it is /tmp/npm-$PID), then an attacker could watch the process table for a process named "npm", and as soon as it appears (say, as pid 13577, create a symlink at /tmp/npm-13577 that points to, say, the home directory of the user npm, which might have the effect of clobbering any similarly-named files. This is a crude attack, but depending on the contents of the tarball it could be pretty unfortunate (e.g. if the tarball contains a file named secring.gpg, and the attacker points the symlink to the victim's ~/.gnupg ?). > Agreed, the workaround i proposed is completely wrong, > please read what `man npm-config` says about TMPDIR instead. http://sources.debian.net/src/npm/1.2.18~dfsg-3/doc/cli/config.md#L756 suggests that it is supposed to use TMPDIR, which is good :) --dkg
signature.asc
Description: OpenPGP digital signature