Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Node.js / Security Working Group / 22 Feb 2021
Node.js / Security Working Group / 22 Feb 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Node.js Security WG meeting 2021-02-22

Description

Node.js Security WG Meeting for February 22, 2021

A

Hello, everyone and welcome to um the ecosystem, security working group of node.js. um Let me share my screen, uh so we can see what is the agenda for today.

A

Okay, so we have three things here and now I have an additional one about a new time where more members can join.

A

I know thomas you have presented, you have prepared something for presentation right.

B

Yeah, but we can push if because I guess we are only free and if, if vlad live as you want, but I could I could do it yeah. Probably I've prepared some things.

C

uh I have to live in 28 minutes so, depending on the time of the oh.

B

Okay, this is okay,.

A

Would you like to start with that or go over the other two topics? First,.

B

Yeah go over to other topics. First, I guess sure.

A

uh Okay, so this is one, uh and I actually don't know if there are, if there is any progress in the last meeting, we have said that we would like uh the group to refocus on to support open js projects, and there are two different groups. I don't know if you had the time to to have a look at the two of them, how they work or if we have more information about how we can proceed with that.

C

uh I I I took a quick look and I'm not really clear what's best, because I don't know much about the foundation.

C

um My guess is that if we find a time frame that is more friendly for math for for for michael, he can tell us in details what he thinks and what would be the recommendation. What you? What do you think.

A

Yeah, that's that sounds good with me and I know this time doesn't work for most people, whereas we have two other candidates that work. So we can postpone this for the next meeting when michael can join and can give us more information.

B

Awesome.

A

Is it okay with everyone.

B

Yeah yeah I'll carry this too.

A

Great, um the other one is about a nomination.

C

So I think we asked matt if he was still interested yeah.

B

On the second issue, you asked us and you didn't have, though yet so I guess I guess you said you will. We will close this if hey.

C

I'm taking note in the.

C

Minutes.

A

Oh, are you taking notes it's great because I was I would. I would try to do that after the meeting, but it's now it's.

A

Better, so would would we like to close these issues since we didn't get any response and if you would like to join, you can create a new one.

C

Yeah, I I think I'd be persuaded on that, so feel free to close it, and I will take note, update the minute. I'm doing that right now.

C

Okay,.

A

And same goes for this one, which was for the for the.

A

Tries.

A

Great um so right here there is nothing more than the presentation, uh but if we could discuss the the time for the next meeting a bit. So if you go to the to the doodle, um I've seen that there are two candidates. So this is central european time because that's where I'm located, but the two candidates are this one.

A

We have six participants and there is another one here where we have seven participants, um and I wanted to get your opinion about how you'd like to move this forward, and the idea I had is to interchange the meetings and have one um one week, one month, uh the one time and the other month, the other time, just to make sure that everyone has the the option to join.

C

I think that's a good idea, um especially if we can do that at very different time in the day, so we can be friendly with more time zones. I know some people in australia. I've been frustrated to not be able to participate. The working group at all.

A

Oh probably, this is not surfaced here, because both times are 4.

C

P.M:.

A

And 3 p.m: central european time.

C

I mean we can try and uh let's start to alternate between those two two times and days, and let's see this goes with feedback, I mean if, if we manage to get more people to the meetings, that will already be a success.

A

Exactly.

A

Great, I would like to suggest that for the next month we go with this one, which is a thursday simply because this is the only one from the two possible dates that michael can join and can give us more information about the the open, js foundation.

C

Is it okay? If I, if I put you in action to sync up with michael, so he can update the bots that schedule the meetings? Yes,.

A

I will reach out to.

A

Him is this: okay, with everyone.

B

Yeah yeah.

A

And there is no other meeting agenda topic listed here. I don't know if you have anything else or we can move to the presentation.

A

No great, I will stop sharing and.

B

Let me sharing screen.

B

Do you see my my screen? Yes, okay, okay, so what first? What is not secure? This is a tool I created to to analyze a driven npm package or or even a local node.js project to deeply analyze the dependency tree.

B

uh So I will not go too much on on data and things because yeah there is a lot of features in the tool that I will just demonstrate.

B

So, for example, if I want to analyze, I don't know I sticky from rock, I will run a command that will just fetch all all information, tables, etc, and it will open a page with every information about fastifi. So we we see, we can move and see. Over ufastifi has been built with all the package of of on the festive core framework.

B

We have some information here, for example, all the global statistics of the number of package total size on the disk, indirect dependency, some the extension it use across all the project. So we can maybe time find interesting things. So here we see there's certain k, but this is because material use do some tests on ssl.

B

We could see licenses and even maintainers. So, for example, if I click on go watch if available. If I find a link because sometime on npm, this is hard to find the link, but if I find that we could open page and cutter and, for example, we here if we, I there's a weird extension and there's a search bar where I can extension and maybe fun okay, so we see we could go on fast if he and if we click on the package or anything we could. This is.

B

This- is opening a left panel with a lot of find information on the package, so we have every npm metadata like url the number of rayleighs the data. The last way is two lot of formation on file extension.

B

Eventually, if there's here, we see there's missing dependencies, but this is because because material love publishing a test, and example in his package, so it's used. He has some example where I use this, but my static analysis so detected this and think this is missing dependencies.

B

But this is good because sometimes we can find some error where not never forget, to remove some dependencies, and so we could see what node.js dependencies use. I have a quick question: does it unused dependencies, yeah, yeah, yeah, there's missing and unused dependency?

B

uh I already opened at least 20 uh pull requests on npm uh because they forget a lot of the when there are factors they just forget to remove this some dependencies, and this is very useful to to find dependencies. That's not used, so we have a lot of also better phobia information for all the size of the package.

B

uh If we check here, we can even we have listens and running. So if we open listens, we have also information about the licenses. So with each file we see with there's two files with licenses mit and there is uh some uh it don't. I will open just another package, but we have some warnings, uh pop-ups and yeah. We can just go watch for tree, so there is some emoji, some emoji just mean there are all meaning they have a meaning.

B

So, for example, if I want to know what does that does mean, we have an emoji legends and we can open a pop-up and check.

B

For example, the little planets is about if they use https everything that could escape eventually on internet, uh we could use some to detect native add-ons etc, except they are mini-shit code lot of things like package as a script also and other like when there is a point of or things like pokey po pem, we we could see it directly is updated useful for, for example, if I come back here, I could directly see here, for example, so I could see this is not the last version we see.

B

Everlast version is 1.00, so as a mighty maintainer I could. I could see also easily if some dependency in my stream is not up to date year. This is not up to date. The last is 2.123, etc, and I will just check. I think that I've been said check it. There is a new one. Oh yeah, I've seen this. It is pretty interesting. This little emoji means there is two licenses here.

B

We see instances esc mit and I think there is a mistake on this package because the package.json is in is essay and the licenses is mit.

B

So I guess this is just an error and we need to pull request here, but this demonstrates on what not secure is pretty cool, because you can easily detect some mistake like this and if we take, for example here we have a warning, so I could open one in so this is done with my uh static analysis.

B

So here this spreadsheet command. There is a regex detected as unsafe and we could eventually click to load the code detected, but we could also, I guess, if I click here, just open the file on in packaging.

B

uh I have to fix something because I don't have a line of code on the left, but we could here. There is some link to open the package. Also, the root of the package.

B

When this work.

B

Yeah, so we could easily go and check the code ourselves to see if everything is fine.

B

And yeah yeah, that's that's it! This is uh we see here little like you are scared of vladimir, but you see when there are little eyes like this. This means there are. You know dependencies, so some sometimes this is false positive we have, but some most of the time. This is right, but there's some case where the static analysis failed to detect or or because the package used some specific dependency or you know so a lot of case not not only yet, but most of the time I will say that this is accurate.

C

Out of curiosity, which package do you use for craig x for what.

B

Power, detecting and safe regex. Oh, this is my own package.

B

This is my uh static analysis. Oh I I know sorry for I guess yeah there's some uh for unsafe regates. I use safe progress regex this one.

C

Nice.

B

But there is also a false positive. There is an issue open and I don't remember where, but there is also improv. Hence man to do on this because yeah, we kind of detect a lot of free, regular expression and safe, but they are safe, but yeah. This is complicated. Subject: uh yeah, that's it! uh So, basically the web appear work with this json.

B

So everything is here. We could also use the json version to share it to some friends and to open it on the site, etc.

C

So is there any server or is there any uh passing and detection happening on the client machine? Do you have a web api for that or.

B

Yeah yeah yeah there's an app this package work as a command line or api. You could use it completely from api. This is typically what we do and it just. I show you fast what we have done.

B

On slim, I o we used the api mod to generate this report, so we we used it on the multi repository to extract an overall view of what dependency we use on slim, io, like every third parties, transitive dependencies, etc, etc. So, like we see all the extensions we have in in our project, recently warnings and yeah, we generate this report with it.

B

So like this, this is, we use the api mode, but I guess this could be used in a lot of other situation, where we want to extract that, uh for other things like drawing an interface.

C

Very very cooler: I love it.

B

And yeah: that's it: okay, pretty simple! If you have no other question and yeah, there is a lot of possibilities in the search you can, for example, if you are searching for dragon built in, we could, for example, if we want to know what users that live, so we we know for festivity and light, might request use so yeah. This is useful to to find to extract and find the.

C

Data.

A

Yeah this is great and it can be very helpful when trying to find out when you have a vulnerability in a dependency and is very much nested in the dependency tree and how you can navigate there.

B

Yeah yeah there's still some problem and we are still working on on rocky, I'm still working on the static analysis, because there's still a lot of false positive right now, but this is also capable to find a lot of like this. This is, I guess, a baguette, because I'm I'm working on on new warning capable to detect obfuscated code, uh but it didn't it. Don't work very well right now, but uh I but it's going to but yeah it's going to be a cool features too and yeah it's like here is capable to the text.

B

Thing like this they'll require a cache, so this can be pretty uh dangerous. If this is like a real scenic require to maybe use yeah, I guess, because in pkg sometimes take a long time to load it.

C

Okay, very cool thanks a lot for training; I'm definitely using that from now.

B

Okay, I'm stopping.

A

Yeah, thank you for the presentation.

B

Join it is.

A

There.

B

Sorry, no, no, I I'd say some someone joined.

A

I don't know if there is any other topic, otherwise I think we've covered the ones we had in the agenda, and I remember that for auction items we have to um to change the time and date for the for the meetings um vladimir. Have we do? We have any other action item that I forget about.

C

I don't think so. The only thing we need to do now is to uh pr the minutes. I have a task to do that tomorrow, so you can amend until tomorrow, and I will do that tomorrow morning.

A

Great yes and I'll I'll upload the recording to youtube and share the link.

C

Awesome thanks a lot.

A

Great and I hope, with a new time and date, we will have even more people joining.

C

Yeah, thanks again for uh for today, eva thanks a lot for the demo have a great afternoon team.

A

Thank you.

C

Bye.