The founder of the Node Security Project says Node.js still has common vulnerabilities, but progress has been made to make it more secure.
Appearing at the recent Node Community Convention in San Francisco, project founder Adam Baldwin, chief security officer at Web consulting company &yet, emphasized risks, protections, and progress.
Baldwin sees four risks within the Node ecosystem pertinent to the enterprise: the code dependency tree, bugs, malicious actors, and people. "I think of [the dependency tree] more as the dependency iceberg, to be honest," Baldwin said, "where your code is the ship and your dependencies that you have with your packaged JSON is that little tiny iceberg at the top." But developers need to be aware of the "massive" iceberg underneath, he stressed.
The second risk is bugs in both code created and code consumed, Baldwin said. When used by the buffer, JavaScript can turn out uninitialized memory. "The enterprise perspective here is that if I use JavaScript, I'm supposed to be protected from these low-level problems of dealing with memory initialization and all that," noted Baldwin. The buffer problem can be protected against by leveraging the .fill function and checking the type of the first parameter when calling the new buffer. "It's a pattern that I don't think developers are aware of," he said. "We've found it exploitable in production once over two years."
The third risk and fourth risk categories -- malicious actors and people -- are closely related. The former deliberately upload malicious code, and the Node Security Project has an effort afoot to detect those modules, Baldwin said. With the latter, people, there may or may not be a malicious actor in the creation of modules. "I trust these people will write good code or at least not have malicious intent for my project," said Baldwin. The point is not that people are untrustworthy or will write bad code, but the organization as a whole bears risk for bad security habits.
Baldwin offered risk mitigation strategies involving moving to npm onsite, auditing, white-listing modules, using the Node Security Project command-line tool, and changing passwords. As a general rule, Baldwin recommended that users "treat confidential information that you are in possession of with respect."
The Node.js Foundation, which oversees the platform's development, recently disclosed two vulnerabilities, including a denial-of-service risk. Patches were released roughly a week later. Developers also should report security issues.