Why Javascript is a bomb waiting to explode.

JavaScript is the lingua franca of the web. It's not going anywhere. Turning it off is not going to gain you anything. You are not likely to ever suffer an exploit from it any more than any other exploit from any other language, software or system.
 
mark_j said:
but alas you needed to enable javascript to view it. Anyone see the lunacy in that? :eek:)
Click to expand...
I have a cesspit PC just for this very occasion. Sometimes it is fun just to see how gross it gets and imagine that some people actually use something like this as their daily driver!

Either way, VMs or Jails pretty much exist to contain the crap that this industry churns out. It is frustrating but it won't go any time soon. It is for us to have fun trying to avoid ;)
 
The bigger problem on this site isn't javascript, it's all these ponderous lines of jive-a-script.
 
mark_j said:
If only more people were like you! :)

However, the majority of javascript "programmers" seem to be lazy, unassuming programmers with zero knowledge of the ramifications of using a system of blind inclusion of source code.
Click to expand...
Yep lets make the PC's out of rocks and fire, out of scratch. And check every single line of code. Russians taking this "task" right now.
 
blind0ne said:
Yep lets make the PC's out of rocks and fire, out of scratch. And check every single line of code. Russians taking this "task" right now.
Click to expand...
In all fairness this is a good thing and I wish it didn't take wars to encourage companies to do so.
Once Russia stops their nonsense and this all blows over, I do hope some of this re-implementation and audit work gets shared.
 
drhowarddrfine said:
JavaScript is the lingua franca of the web. It's not going anywhere. Turning it off is not going to gain you anything. You are not likely to ever suffer an exploit from it any more than any other exploit from any other language, software or system.
Click to expand...
I'm not sure facts back up your statement. In fact, I know it's totally wrong.
Javascript seems to be the single biggest vector for exploits from CPU cache poisoning to ransomware.
A little example: https://github.com/HynekPetrak/javascript-malware-collection
Just do a search in your favourite, non-javascript requiring search engine for javascript malware and tell me it is "any more than any other exploit".

I'll just keep disabling/avoiding javascript and/or mitigating it with sandboxing while you can keep using it safe in the knowledge the odds are with you. ;)
 
blind0ne said:
Yep lets make the PC's out of rocks and fire, out of scratch. And check every single line of code. Russians taking this "task" right now.
Click to expand...
I didn't state that. However, it's one thing to audit code line by line, it's another to blindly insert code into your own code without knowing what it does and why it does it. Trust is something, blind trust is stupidity.

When an author of some javascript doesn't even know they're using half the junk in NPM, that says a lot about the standards kept.
 
mark_j Since Javascript is the only programming language that runs in the browser, it's hard to find another that would cause issues. Note that the problem in your example is not javascript--it's ransomware and how it got on their system.
 
mark_j said:
Javacsript is the vector. There are other 'languages': css is one.
Click to expand...

drhowarddrfine said:
mark_j CSS is not a programming language. There are no native programming languages in the browser except for javascript
Click to expand...
I suppose it doesn't really need to be a programming language that can be a vector.

I'm sure we all recall in the earlier days that compromised images could be an attack vector too (overflowing the decoder and getting it to execute a payload). However luckily in time the image decoders were fixed and most importantly, images are finite in that their complexity of being able to load them becomes complete.

Whereas Javascript is endless; rather than fixing bugs, the developers just keep piling on more vulnerable shite. And if that is even becoming reasonably complete, chuck in a bytecode generator that runs instructions on the GPU (WebGL/GLSL|ES) and after that chuck in a general purpose bytecode interpreter (Web Assembly). And after that, connect it all tightly to the underlying system (WebUSB).

Surely it should be reaching critical mass by now where technical / open-source communities are targeting / supporting more sane browsers like Netsurf? It just doesn't seem to be happening. These very forums are a sad example of that.
 
New NPM fun, this time: foreach!

oRr1KtV.png


Lance R. Vick (@lrvick@mastodon.social)

I just noticed "foreach" on npm is controlled by a single maintainer. I also noticed they let their personal email domain expire, so I bought it before someone else did. I now control "foreach" on NPM, and the 36826 projects that depend on it.
mastodon.social mastodon.social
 
fryshke said:
Don't other languages have same problems in their package managers?
Click to expand...
The culture is particularly bad with Node.js / Javascript communities. Here the general trend is towards millions of "microdependencies".

I always get annoyed by Emscripten as an example. 99% of the project is written in C++ (the main Clang-based compiler) with pretty much zero dependencies outside of the system. Then for the final 1% the developers chose to use Node.js.

As you can see by the NPM package spec, this alone drags in hundreds of dependencies for fairly trivial things:

https://github.com/emscripten-core/emscripten/blob/main/package-lock.json

Python's PIP, Perl's CPAN and Rust's Crates.io have a similar tendency. Much of it is bindings to C libraries meaning that these languages will *always* require more dependencies than C and C++.
 
For me the problem between NPM and let's say PIP is that NPM programmers are really, really lazy and dumb. While older repository systems mostly are filled with modules to cover a certain task, e.g. parse an XML file, have a small embedded web server, correctly validate an email adress NPM has these of course, too.

But the majority of NPM modules is not there to cover such a complex task, but to do trivial small programming tasks which can be reused everywhere and average programmers should be able to come up on their own, like e.g. a left padding for strings/numbers and now this foreach thing.

Programmers in most other language communities would just write that stuff on their own, or maybe pull in one standard library which covers many of the required stuff if there is such a thing. In Node.JS and with NPM though people just don't bother even writing such trivial things on their own, instead are pulling this directly from NPM and integrating it into their own little projects. And since NPM has many of these little trivial building blocks around, where many have a lot of dependencies, even moderately complex Node.JS programs often have a dependency count in the hundreds.
 
So the answer is yes. PIP sucks balls, and you should manually validate packages, cache them and only pull them from your cache.
 
Alain De Vos said:
Note , chromium browser contains 2.300.000 code lines of javascript.
Click to expand...

For science I ran devel/tokei with time on the official chromium github repo, here's the output:

Code: 
===============================================================================
 Language            Files        Lines         Code     Comments       Blanks
===============================================================================
 Arduino C++             1           17            8            5            4
 Assembly               68        72876        65703          776         6397
 GNU Style Assembly    140       214881       195068         2649        17164
 Autoconf              154        23300        20928         1304         1068
 Automake               22         6413         5576          261          576
 BASH                   62         4034         2603          779          652
 Batch                  40         1005          647          142          216
 C                    1283       699971       480417       133889        85665
 C Header            45892      5202302      3117133      1156709       928460
 CMake                  89        14614        12279         1080         1255
 C#                    232       147024       119078        16680        11266
 CoffeeScript            4         1070          941           21          108
 C++                 53341     15477368     11757584      1463055      2256729
 C++ Header             96         8874         5859         1665         1350
 CSS                  1414        75320        59539         5644        10137
 D                       1           17            4           10            3
 Dart                    3          129          102            7           20
 Dockerfile             35         1835         1358          266          211
 .NET Resource           7         1904         1452          452            0
 Dream Maker             1            1            1            0            0
 Emacs Lisp              8          969          579          229          161
 Elm                     2          542          399           32          111
 FlatBuffers Schema     11         1483          491          765          227
 Forth                   1            2            2            0            0
 GDB Script              1           34           17           14            3
 GLSL                    3          102           51           33           18
 Go                      7          827          683           61           83
 Groovy                  3         1955         1585          210          160
 Handlebars             13          107          107            0            0
 Happy                   1          498          449            0           49
 HLSL                    3           80           63            9            8
 INI                   107         3827         2651           16         1160
 Java                 8670      1662433      1147431       294472       220530
 JavaScript          21040      3641765      2487826       764970       388969
 JSON                 5661      2209774      2206543            0         3231
 JSX                     5          849          677           60          112
 LD Script               4           39           31            5            3
 Makefile               45         3349         2237          536          576
 Meson                  10          965          792           63          110
 Module-Definition      23        14099        13964           67           68
 MSBuild                11          577          518           29           30
 Objective-C           157        76796        59183         8571         9042
 Objective-C++        4270       796018       589123        84645       122250
 OpenType Feature |      1         3834         3110            1          723
 Pan                     6           91           67            7           17
 Perl                  104        24048        16172         4589         3287
 PHP                   752        40605        26734         9791         4080
 PowerShell              1           20            9            6            5
 Protocol Buffers      963       119654        64377        38370        16907
 Python               5818      1093137       852664        91059       149414
 R                       1           23           20            0            3
 RPM Specfile            4         1357         1135          123           99
 Rakefile                2          185          142           11           32
 ReStructuredText      122        33991        25340            0         8651
 Ruby                   23         6305         5215          268          822
 Sass                   12          178          137           15           26
 Shell                 427        34095        22318         6931         4846
 SQL                   178         9266         8671          255          340
 SVG                  3517       173450       153910        11954         7586
 Swift                  71         5768         3903         1014          851
 SWIG                    1           98           56           28           14
 TeX                     1         1454         1441           11            2
 Plain Text          29743      1599903            0      1531852        68051
 TOML                  143         6885         4797         1268          820
 TypeScript           1829       321573       223558        56099        41916
 Vim script              6          338          273           43           22
 Visual Studio Sol|      1           26           25            0            1
 WebAssembly             2            8            8            0            0
 XSL                    82         2488         2282           80          126
 XML                  3527       625625       569565        20268        35792
 YAML                  587        33103        29223         1290         2590
-------------------------------------------------------------------------------
 HTML                86806      2183417      1957814        85968       139635
 |- CSS              33393       471692       429668         9019        33005
 |- HTML               842        12700        12510          134           56
 |- JavaScript       49962      1698709      1435041        73721       189947
 |- Plain Text           9           67            0           67            0
 (Total)                        4366585      3835033       168909       362643
-------------------------------------------------------------------------------
 Jupyter Notebooks      18            0            0            0            0
 |- Markdown             3          262            0          203           59
 |- Python               3          902          629           99          174
 (Total)                           1164          629          302          233
-------------------------------------------------------------------------------
 Markdown             2458       246083            0       185893        60190
 |- ABNF                 1           57           36            9           12
 |- BASH                68          806          660           93           53
 |- C                    5           63           54            0            9
 |- CMake                1           49           34            8            7
 |- C++                 55         3396         2540          521          335
 |- CSS                  8          117          111            3            3
 |- HTML                44          814          737           35           42
 |- Java                32         1610         1202          239          169
 |- JavaScript          25          698          541          127           30
 |- JSON                16          576          572            0            4
 |- Lisp                 1            7            7            0            0
 |- Objective-C          2           75           52            4           19
 |- Python              32          861          721           52           88
 |- Ruby                 1           17           11            2            4
 |- Rust               103         3701         2872          329          500
 |- Shell               89         1203         1019          121           63
 |- SQL                  3           87           74           10            3
 |- TOML                61          227          176           34           17
 |- XML                 13          303          265           28           10
 |- YAML                 2           37           37            0            0
 (Total)                         260787        11721       187508        61558
-------------------------------------------------------------------------------
 Rust                 2659       851932       755910        31493        64529
 |- Markdown          1261       105738         8619        78226        18893
 (Total)                         957670       764529       109719        83422
-------------------------------------------------------------------------------
 Vue                    16          194          104           42           48
 |- CSS                 13          359          294            7           58
 |- HTML                16          473          461           12            0
 |- JavaScript          16          884          697          125           62
 (Total)                           1910         1556          186          168
===============================================================================
 Total              282822     37789179     27090662      6018910      4679607
===============================================================================
tokei  10815.21s user 35.26s system 317% cpu 57:02.70 total
 
Please can somebody change the misleading title of this thread to „Why node.js is a bomb in the course of exploding?“

All the examples given above do not make the case against particular language(s) which happen to be involved.
 
fryshke said:
It's not NPMs fault, it happens mostly to NPM lately because of popularity.
Click to expand...
It can probably be done with GitHub too tbh with "forgotten password" emails pointing to lost domains.

I would say it is particularly prevalent with NPM because typical Javascript projects tend to drag in even more dependencies than even Python PIP-loving projects.

This is simply a downside of racking up a tonne of technical debt in projects.
 
You must log in or register to reply here.
Back
Top