Why Javascript is a bomb waiting to explode.

M

mark_j

Once again something happens to NPM that causes very real issues.
Forgetting about the politics or humanity of the cause, this is just another reason why things like javascript that pull in code without even an attempt to vett it are a potential catastrophe.
Too melodramatic? Maybe, but P.O.C. for cpu exploits are made via this evil language called javascript.
Read more Here
 
No disagreements from me. It does show a good point of Open Source: one can look at the code. But the downside is: one has to have a desire to look at the code and the ability to recognize malicious code.
 
Eeek, it can get pretty ugly. Though admittedly, I do tend to see it less of a flaw of Javascript (or even the web) and more that beginners are specifically attracted to it.

No-one should be dragging in dependencies like this. They should use a specific (known) version rather than treadmilling onto the latest all the time! That is a very amateur thing to do and in the web specifically, I see it all the time.

I really dislike these language specific package stores (NPM, PIP, crates.io, VcPkg, etc). They just allow amateurs to rack up so much technical debt!
 
A lot of places that I've worked at/with, will actually set up local clones of repos they use. They can have better control over versions and "what's in their product". You still have to vet the code you are using, but at least you are not blindly pulling things in.

Alain De Vos "Maybe". Like the old jokes about eating an elephant, one bite at a time. The problem is that by the time you are done verifying "this" version of Chrome, how much time has passed, how many versions behind are you from the current one.
 
kpedersen said:
Eeek, it can get pretty ugly. Though admittedly, I do tend to see it less of a flaw of Javascript (or even the web) and more that beginners are specifically attracted to it.
Click to expand...
Yes, true.

We strangely decry M$ using telemetry (glorified spyware), rightfully so, we update FreeBSD with the latest patches, be ever diligent with our firewalls, our auditing, our MAC etc etc and yet don't give a second thought to the biggest security threat: a browser running javascript.

Perhaps you're right, but for the reasons I wrote above, it has a powerful position in the software stack and yet is the most insecure garbage I can think. More and more people adopt it, the browser, as the future in computing. Sheez, that future is bleak.

kpedersen said:
No-one should be dragging in dependencies like this. They should use a specific (known) version rather than treadmilling onto the latest all the time! That is a very amateur thing to do and in the web specifically, I see it all the time.

I really dislike these language specific package stores (NPM, PIP, crates.io, VcPkg, etc). They just allow amateurs to rack up so much technical debt!
Click to expand...

No one should, but the problem is everyone does. They use other's code, which contains other code, that contains other code and so on just so they can do rot13. (Just an example). It's almost theft, because to me this is not open source, it's open exploitation. Maybe they're truly the same?

I remember years ago, the advent of C++ and the sharing of code and people/nerds being all giddy over it. Some were anticipating large code banks where you could draw in code to perform X function and Y function and save time & money.. Glorious they said. Me, being perhaps too cynical, said in a sarcastic way: "What could possibly go wrong with that methodology". Along comes javascript.

I'm not sure it can be solved short of all browsers should be run in a sandbox, always, but that largely only stops exploits.

Don't get me wrong, sharing code is good, but ffs know what it does or don't include it. This type of system like NPM does the exact opposite.

Yes these repositories are an evil unto themselves.
 
Alain De Vos said:
Like the number lines of code of the Chromium browser ...
Is this even verifiable seen the hugeness.
Click to expand...
True, but, you're unlikely to include chromium in some software you write.
As I've said, code sharing is not evil, and most code is great etc, but if you willingly include software in your own software without understanding it, then you're a poor programmer (literally and figuratively).

It's not inconceivable something similar could happen with a c++ boost library or similar, but this is not the same as NPM where software includes software includes software drawn from NPM and the programmers don't know or care.
 
Warning Will Robinson! Warning! According to my Firefox Browser Console, we were attacked by multiple Javascript errors while loading this hazardous FreeBSD forums thread! Warning! Warning! Warning!

Screenshot at 2022-03-20 09-05-52.png
 
Calling this protestware is not appropriate when I look at his work. By obsuficating his evil he really crossed a line.
obsigna was mentioning how he was going to disable downloads for his software for certain Geo IP's.
That seems like a reasonable protest compared to deleting files.

I absolutely hate what is going on in Ukraine.
But when you give your work to 'the license' there is no turning back. Regardless of your feelings.
 
JavaScript is a tool, and since the first primates started using tools, there were some individuals who were using it wrong.

This example may well be an urban legend (I heard it more than 25 years ago), anyway it fits the message. A vacuum cleaner is not a bomb waiting to explode, only because an individual used it to suck wasps out of their nest into it, and in order to get the wasps finally killed sucked natural gas into the running cleaner. Well the wasps became killed, but other severe casualties happened as well.

EDIT:

Node.js and NPM seem to behave somehow like a vacuum cleaner, sucking among some wanted also other things and wasps from the net. That is another story, but that is not inherently a problem of JavaScript. There is a long list of similar incidents, where some language has been used to load malicious code from anywhere.

Needless to say, that I use pure JavaScript, and my JS code does not even load other JS code from my sites. I require my JS to be atomic and self-contained.
 
My milkshake comment was vengeful but it is a serious offense against some very serious people.
I apologize for my demeanor.
 
The bad part is the vulnerability alert in NPM is going to be ignored by a majority of users; because how NPM is setup and it's policy on fixing it. For those that haven't played with NPM much, it has the good intention of warning people about known vulnerabilities in packages. The problem is that the tool to fix it, does it the completely wrong way. The policy on npm audit tool (to also fix vulnerabilities), is first switch to a different version. The issue is, npm also has a policy of every version is a hard stop; there is no such thing of an upgrade beyond that major (and in a lot of cases minor) version, just the revision. THE only way to switch to a new version, is it manually go into the file(s) and by hand change all the versions to a new version (including all the dependencies). Now, what the npm audit tool does, is from those 2 policies it does what it can, it switches to a new version; an older version... in a lot of cases, all the way down to 1.0.0 or 0.0.1.

Another issue npm audit tool has, is that it can't differentiate who has the dependency; so it reports that every tool in the entire dependency chain has the vulnerability. So it literally gets into the boy that cried wolf with a figurative blowhorn and everyone gets on and cries out on their blowhorn when they hear it. So in the end, npm got everyone so numb to vulnerability reports that they don't listen to them (as who can tell which package in the entire dependency chain has the vulnerability). Even if someone wants to do something about it, how can they do anything about something that is 3+ layers deep (even a new react project comes with several vulnerabilities from the get go; one that is several layers deep that is abandoned but is widely used by everything).
 
obsigna pointed out what I was going to write. The problems we hear about are problems intentionally written by bad actors and not a problem with javascript. It's also a problem when there are vulnerabilities that js has access to.

At my company, we wrote all our own software, but credit card providers required us to use node and their software. The good thing is that, if something went wrong, it was their problem, not ours. With other things, we might use someone else's library if we were in a rush but always eventually replaced it with our own. Not only for security's sake but for our own. WE were in charge of fixing bugs and WE made the software do we what WE wanted and we didn't have to wait around for anyone else.
 
Crivens said:
*cough* Teams. Twice. *cough*
Click to expand...
Which is based on the Electron framework, so it's actually worse than that.

For me, NPM is not the problem, because there are similar tools outside for other languages as well, like cargo or pip.

For me the problem around NPM is

a) the way it is being managed - maybe it has improved since Microsoft bought it? I don't know... and
b) the lazyness and lack of skill of the average Node.JS developer.

I mean we are talking here about people who are too dumb to program 1+1 on their own. Maybe not that dumb, but dumb enough to program many trivial tasks a programmer of another programming language is able to do on his own. Otherwise it cannot be explained how a simple left padding function became one of the most downloaded packages in that eco system with around 2.5 millions downloads per month, and when it was pulled for 10 minutes broke the whole eco system.

And since Node.JS developers are mostly too lazy to program basic stuff on their own, their programs are most of the time real dependency hells which nobody can evaluate for security... at least quickly.
 
npm is definitely a problem, because it's explicitly built with semver in mind and semver encourages micro-libraries.
 
obsigna said:
[...]

Needless to say, that I use pure JavaScript, and my JS code does not even load other JS code from my sites. I require my JS to be atomic and self-contained.
Click to expand...

If only more people were like you! :)

However, the majority of javascript "programmers" seem to be lazy, unassuming programmers with zero knowledge of the ramifications of using a system of blind inclusion of source code.
 
shkhln said:
npm is definitely a problem, because it's explicitly built with semver in mind and semver encourages micro-libraries.
Click to expand...
I don't think this is an npm/JS limited issue; but more of the mentality/culture around package managers in pretty much ANY/ALL languages. While I agree in semver being the key issue, laziness really ends up being the ugly head that always pops its head. Doesn't help that laziness is also helping the spread of semver and micro-libraries because of "not my issue" mentality since it is in some library and not in their code.

Doesn't help like rust is going full speed down the path npm is going. Even when I checked on rust's community's views on the dependency hell; they don't consider it a problem because everything is super small (aka micro-libraries) and if they need to, try breaking dependencies into "features" and ignore it until some other time.
 
Phishfry said:
Calling this protestware is not appropriate when I look at his work. By obsuficating his evil he really crossed a line.
obsigna was mentioning how he was going to disable downloads for his software for certain Geo IP's.
That seems like a reasonable protest compared to deleting files.

I absolutely hate what is going on in Ukraine.
But when you give your work to 'the license' there is no turning back. Regardless of your feelings.
Click to expand...
I sort of agree and disagree.
First, yes he does cross the line, but, second, it is HIS software. He can put whatever he wants into it. He can put malware, virus, trojan or whatever. He deals with those consequences, but ultimately it is his software.
It's the idiots that blindly use this stuff that are the true problem and the languages that facilitate it.
 
Phishfry said:
Calling this protestware is not appropriate when I look at his work. By obsuficating his evil he really crossed a line.
obsigna was mentioning how he was going to disable downloads for his software for certain Geo IP's.
That seems like a reasonable protest compared to deleting files.

I absolutely hate what is going on in Ukraine.
But when you give your work to 'the license' there is no turning back. Regardless of your feelings.
Click to expand...
Born in a strongly catholic family, I was taught, that vengeance is one of the most evil attitudes and we must avoid this by all means.
We may hate individuals (in the form of strong discomfort with him/her), we must not take retributive actions.

We must not hate a whole society, only because of the maldiction of some individuals.

For example, of course I hate Vladimir Putin, but I don’t have a death wish for him. It comes even not as far as what Richard Stallman said about Steve Jobs. For me it would be totally sufficient if Putin together with Lawrow would end a perhaps long lasting life in exile like Napoleon on Saint Helena. For me Putin may have it a tad more comfortable and he may even ask his best friend Assad for 72 virgins.

That said, I don’t hate the Russian people. As soon as Russia stops the war, I will stop my personal sanctions (geo blocking) that you mentioned, and I am sure the US, EU, UK and all the other allies all over the world will stop the sanctions as well and will seek normal relationships for the benefits of everybody.

BTW: The last login of our friend Andriy from Ukraine who discussed with us the LCD issues was on Feb 23, 2022. One day before the invasion. I hope he is doing well.
 
And note it's also the source of 0-day exploits involving javascript and bugs: CVE-2022-0609
And.. it's still being exploited in the wild today, even. :rolleyes:
(I wanted to link to the CVE, specifically Microsoft's take on it, but alas you needed to enable javascript to view it. Anyone see the lunacy in that? :eek:)
 
You must log in or register to reply here.
Back
Top