►
From YouTube: Security, modules and Node js
Description
OpenJS Foundation Collaborator Summit, Berlin, 2019
More details: https://github.com/nodejs/summit/issues/155
B
D
B
B
B
B
Of
yes,
modules
in
there
Jess
has,
but
if
you
touch
points
with
the
security
of
Nijs,
so
as
we
shift,
E
is
modules
and
all
the
decisions
were
making
around.
Yes
watch
our
fencing,
the
security
of
their
Jets
and
future,
and
the
other
thing
is
that
whether
simply
has
its
own
security
models,
which,
as
we
integrate
webassembly
internode,
also
effect.
No.
F
B
B
Sister
time
for
the
future
in
particular,
I
have
a
PR
up,
and
this
is
actually
what
started.
The
motivation
for
the
session
was
for
requests
who
removed
global
dog
process,
which
is
currently
available
in
all
modules,
but
just
for
es
modules,
and
currently
the
tear
is
the
block.
But
not
this
entire
section
is
together.
B
B
B
We've
got
a
deep
dependency
of
a
dependency
of
a
widely
installed
package
that
maybe
isn't
maintained
that
well,
someone
ends
up
maintaining
or
getting
getting
the
rights
to
that
pipe
published
for
that
package,
and
in
this
case
it
was
to
get
cookies
packaged
and
they
were
able
to
publish
a
backdoor
into
the
node
modules
and
then
anyone
who's
running
upgrades
of
their
dependencies
without
a
log
file
is
potentially
getting
this
backdoor
and
because
it
was
a
cookie
for
posture
could
actually
take
commands.
That
would
allow
remote
institutions
and
things
like
that.
B
A
B
Any
package
you
can
do
anything
that
cookie
parser
has
full
route
access
to
the
file
system,
so
the
maintainer
of
that
cookie
box
we
can
push
and
then
what
happens
is
when
this
gets
discovered.
We
have
a
the
security
process
that
kicks
in
we've
made
incredible,
starts
in
I'm,
getting
to
a
position
where
security
audiences
are
now
completely
widespread,
and
that's
amazing
how
that
process
has
been
built
its.
B
B
Where
what
about
the
this
sort
of
maintainer
that's
been
compromised
and
there's
that
still
smoke,
that
that
small
window
of
time,
where
they're
they're
able
to
push
up
damaging
code
and
there's
nothing?
You
can
really
do
about
that
and
we're
especially
vulnerable
because
in
the
node.js
ecosystem
we
depend
on
a
lot
of
maintainer.
And
it's
it's
not
going
away.
Where
you
know
it's
growing
over
time.
They
might
have
third
party
code
using
and
we
update
incredibly
fast
as
well
and
with
tools
like
defender.
E
B
E
B
Also
means
it's
very
easy
to
very
quickly
have
one
of
those
maintainer,
so
you
don't
even
know
about
I
can
be
following
for
them
to
just
push
up
something,
that's
malicious
for
it
to
propagate
very
fast
before
it's
eventually
quartz
pendant
mitigated.
So
it's
just
funny
phone.
It's
this
new
module
all.
B
Yes,
sir.
We
should
stop
install
scripts
and
we
should
just
run
install
scripts
that
need
to
build
binaries
and
can
do
it
in
ways
that
no,
no
it's
worse
than
ever,
if
you
own,
if
you
try
and
speak
to
anyone
about
securing
JavaScript's
or
securing
drugs
because
it
works
today
know
very
quickly
that
the
general
assumption
is
that's
just
not
possible,
because
that's
not
how
JavaScript
works.
The
language
has
too
many
security
holes
and
we
can't
patch
them
and
the
only
nice
if
you're
any
model
for
javascript
is
process.
Isolation
but
versus.
B
B
B
And
that's
before
you
even
get
into
all
this
meltdown
Specter
stuff,
where
we
have
these
CPU
hacks,
where
even
if
you
plug
all
those
same
vs.
issues,
it's
still
possible
for
there
to
be
same
versus
Bonnar,
but
it's
seizing
the
CPU
itself.
So
once
we
solve
the
language,
we're
still
broke
the
problems
of
the
CPU
architectures.
B
So
the
the
counter
counter
argument
is
no
GIS
is
not
a
browser.
We
shouldn't
take
our
security
advice
from
the
browser
environments.
Noches
has
very
different
security
properties
and
it's
really
not
an
option
for
us
in
there
just
to
adduct
sandboxing
with
negligence.
The
way
that
are
written
now,
code
sharing
the
language.
If
we
just
sort
of
vault
on
some
some
kind
of
sandbox
thing
around.
B
B
That's
just
the
way
things
are
and
the
so
that
the
response
of
those
arguments
about
trying
to
get
perfect
security
is
what
can
we
do
to
mitigate
those
risks?
Sort
of
reduce
those
risks
not
perfectly
solve
them,
not
create
an
ecosystem
where
everything
is
perfectly
secure.
But
what
can
we
do
to
make
sure
that
as
much
as
possible,
we
reduce
that
risk,
which
right
now
is
quite
high,
because
any
of
the
hundreds
of
maintains
that
have
exists
in
my
app
can
get
a
full
read
access.
B
B
A
black-and-white
issue
there
won't
be
an
attack
surface
at
minimum.
You
can
be
hacked.
So
if
you
think
of
this
critical
attack
probability
as
something
like
how
many
maintain
is
had
published
access
to
all
our
grid
pods
times
the
average
security
standards
of
those
maintenance,
so
do
they
use
two-factor
authentication,
how
susceptible
are
they
to
spoofing
or
other
types
of
hacking
attacks?
D
D
B
A
B
E
B
E
B
C
B
B
Want
that
third-party
modules
to
be
able
to
discover
the
highly
coveted
shrug
emoji,
and
then
we
also
have
a
function
here
that
we
don't
want
to
be
run
by
by
our
third-party
modules.
So
if
this
function
represents
the
capability
that
the
new
clearance
function,
where
you
don't
want,
the
third
party
current
to
be
able
to
call
that
function
so
do
we
know
that
we
can
safely
load
this
third-party
code.
This
third
party
web
assembly
code,
without.
A
B
A
B
Exports
them,
and
the
amazing
thing
about
web
assembly
is
if
we
know
that
that
module
has
no
influence.
So
if
we
know
for
a
fact
that
this
web
assembly
module
itself
isn't
able
to
import
anything
else
from
a
file
system
or
the
module
system,
then
we
don't
care
what
code
is
in
this
passing
function?
It
could
be
downloaded
from
the
Dodge's
side
of
the
internet.
B
We
don't
have
that
problem
even
because
multi
inspector
are
timing
attacks
they
need
access
to
timers
in
the
environment
and
in
this
code
example,
the
web
assembly
code
has
no
access
to
its
home.
It
can't
access
any
timing
functions,
so
it
can't
do
any
reverse
engineering
of
the
CPU
cache
to
try
and
discover
sensitive
information.
B
B
B
B
Security,
what's
the
word
properties
so,
except
for
boiling
one,
we
mobile
capabilities.
We
have
global
dog
versus.
If
we
implement
fetch
like
the
browser
service,
we
have
global
dog
fetch.
We
have
a
readable,
global
and
mutable
intrinsic.
So
you
can
write
a
write,
object.
Prototype.
You
can
add
things
to
the
global.
B
You
can
read
the
Snowman
in
so
these
are
all
things
that
can
contain
sensitive
information
that
you
don't
want
peeking
out
and
if
we
have
a
global
fetch
well
in
this
example,
but
like
a
JavaScript
parser
and
then
underneath
it
can
just
have
a
whole
bunch
of
code
that
steal
secrets
off
the
process.
Environments.
It
can.
B
You
know
okay
to
take
one
of
those
from
the
Global's
and
if
we
have
a
fetched
level,
it'll
be
able
to
share
those
secrets
with
a
third
party
server,
and
this
is
one
of
the
arguments
for
why
me
Pro
me:
don't
want
offense
level.
Energy,
yes
and
I
would
argue
strongly
against.
A
vegetable
in
DOJ's
is
because
it
makes
this
global
capability
available
to
all
third
party
packages
which,
if
we
don't
have,
then
those
packages
don't
have
the
ability
to
to
share
these
secrets
anymore.
We've
also
got
deal
everything
you
can
open
any
node
native.
B
Access
to
make
service
business
and
we've
got
persist
on
a
chart
time,
which
is
ideal
for
doing
about
10
specs.
It's
like
climbing
attacks,
because
you
don't
even
have
to
construct
a
timer
anymore
to
do
those
attacks.
You've
got
this
perfect
CPU
timer
that
you
can
use
to
detect
when
it's
optimizing.
B
The
other
thing
is
that
these
mutable
Global's,
the
mutable
intrinsic
s--.
You
could
have
a
third-party
package
that
over
arrest,
json,
stringify
and
now
you're
using
stringify
on
your
app
and
it's
behaving
the
same.
But
in
the
meantime
it
could
be
stealing
all
that
information
that's
running
through
JSON,
that
string
so
and
then
sending
it
off
to
third-party
server
objects
on
to
streaming
prototypes
like
to
straight
and
you
ever
ridden
to
do
the
same
thing
and
as
the
this
finding.
B
Another
example
of
ways
in
which
you
can
inject
into
intrinsics
and
this
one's
a
little
bit
more
convoluted
but
say
for
example,
you
have
a
walk
function
that
has
objects
of
two
types
and
it's
either
a
type
A
or
type
B,
and
the
one
type
has
a
children,
property
and
the
other
type
deserts
and
you
check
which
type
you've
got
by
checking.
If
you
can
do
that
property
access
and
if
it
returns
undefined.
C
B
The
prototype
chain
object,
so
if
some
malicious
code
had
defined
children
on
the
object
prototype,
it's
got
again
a
trap
and
it
kills
us
still
the
object
in
this
example:
the
classes,
these
are
not
just
objects,
their
classes
and
you
could
have
potentially
functions
or
capabilities
on
the
subjects
as
well,
they're
not
being
made
available.
So
it's.
These
are
the
ways
in
which
we're
spilling
these
security
properties.
Any
questions.
D
B
D
D
B
To
be
very
clear,
little
purses
is
it's.
There
is
nothing
else
that
I'm
proposing
changing
and
that
behavior
global
purses
does
course,
so
that
kind
of
created
a
PR
and
saying
well,
these
Global's.
It's
this
example
where
we've
done
all
these
things
on
person,
s
in
the
global
scope
and
I'm
saying
we
should
deprecated.
E
B
A
B
Does
is
it
goes
through
all
these
objects,
like
JSON
object,
object,
prototype
question,
at
least
so,
maybe
in
the
intrinsics
that
are
available.
Anything
that's
on
the
global
object
nominee
and
it
freezes
it
so
that
you
can't
do
if
you
try
to
do
any
of
these
lines
of
code
in
strict
mode.
You'll
get
an
error
if
you
try
to
override
these
these
defaults
and
what
we're?
What
we're
doing
is
we're
seeing
if
those
who
are
interested
in
exploring
these
security
properties
of
one
to
see
if
they
can
enable
module
emissions.
B
Not
changing
the
default
experience
in
mode,
you
can
opt
into
it
and
then
third-party
packages
will
likely
hidden
cases
with
our
bug,
squared
where
it
runs
up
against
this
flag
and
that's
where
we
want
to
get
feedback
on
and
see
how
people
are
using
this
and
potentially
get
ecosystem
peons
that
fix
in
cases
where
it
breaks
or
if
there
are
problems.
Integrating
this,
this
change
of
a
which
is
quite
a
big
change
into
Hayden's.
B
Do
you
think,
back
in
the
day,
we
had
things
like
the
Poorna
type
library
that
was
entirely
builds
off
the
concepts
of
overriding
gates
prototypes
and
the
browser.
It's
quite
an
it
might
have
make
a
change
to
think
on
these
things,
this
person,
but
this
is
critical
to
getting
security
prophecies
in
JavaScript
once
it
and
then.
C
E
C
C
B
Interested
in
exploring
it
further,
please
do
chance
me
Oh
anyone
else
involved
in
this
work,
the
the
code
cases
there
are
scenarios
where
setting
to
string
upon
objects
that
aren't
that
don't
happen
to
begin
with,
and
these
are
sort
of
the
the
subtle
bugs
that
that
can
happen
and
in
the
cases
we
need
to
announce
when
it
happens.
On
the
one
hand,
it's
regarded
as
a
spec
bug
that
you
can't
define
any
of
the
object
methods
on
an
object
that
has
a
foreign
object
prototype
and
you
need
to
make
sure
they
are
defined
up
front.
B
B
The
third
thing
is
timers
and
unfortunately,
we
can
never
Nippert
eight-day.
No
in
javascript
in
node.js,
it's
pretty
hard
to
get
into
the
ecosystem,
I
mean.
Maybe
we
could
make
some
progress
on
that,
but
we
just
have
to
accept
that
we
have
access
to
five
minutes,
which
means
we
have
a
meltdown
inspector
attacks,
and
so
we
just
like
to
assume
that
it
will
be
possible
for
the
sort
of
reverse
engineering
attacks.
C
B
F
B
F
A
B
Yeah,
maybe
we
could
add
a
flag
to
know
to
disable
date
or
no,
but
I'm
not
optimistic
about
that
working
in
the
ecosystem.
I
just
think
it'll
break
too
much
already.
This
present
intrinsics
is
a
tough
one
and
will
take
a
lot
of
collective
effort
to
be
able
to
support
the
ecosystem
and
PR
the
ecosystem
to
support
it.
They
danger
now
is
even
more
drastic
but
yeah
in
workers.
B
I'll
talk
about
that's
one
of
the
reasons
why
I
want
it
was
so
deprecated
leveled
up
process
because
they
need
own
of
HR
time,
it's
harder
to
construct
a
high-resolution
toilet,
what
they
don't
know,
but
I
believe
it
is
possible
there.
There
are
various
very
subtle
techniques,
but
yeah
persist.
Audience
might
need
for
that.
Fancy
works.
It's
radical
members
so,
but
the
key
thing
I
want
to
mention
here
is
just
because
you
can.
B
To
complete
the
act
of
stealing
a
secret
means
being
able
to
propagate
that
information
to
another
server,
so
you
need
to
have
the
timer
capabilities
which
may
be
let's
give
up
one,
but
then
you
also
need
to
have
the
capability
to
share
that
secret.
So,
even
if
you're
running
code
on
the
same
versus
that
in
theory
could
be
discovering
for
your
internal
authentication
codes
and
things
is
only
can
be
considered
insecure.
If
it
also,
then,
is
able
to
share
that
information
with
a
third
part.
B
If
that
code
is
in
a
sandbox
where
it
doesn't
know
the
ability
to
ask
in
a
sandbox,
then
a
con
share.
The
secret
serve
was
the
secret
really
activist.
So
this
is
the
capability
to
exfiltrate,
and
if
we
move
the
the
focus
for
javascript
from
the
capability
for
timers
and
except
we've
lost
that
war
and.
B
B
G
G
G
B
B
B
B
F
B
B
Sort
of
care
concept
of
this
capability
to
extract
a
secret
to
send
it
back
off
to
malicious
server,
or
something
like
that.
As
long
as
we
can
control
that
access,
we
can
control
the
the
secret
from
getting
on
and
then
the
thing
you
watch
out
for
is
what
support
covert
spy
channels,
suicide
channels
that
we
didn't
even
know.
We
were
doing
so
say,
for
example,
you're
rendering
some
HTML
and
your
HTML
rendering
attacked,
and
now
it's
spitting
out
secret
information
for
that
curb
invisible,
HTML
or
something
it's.
B
B
B
If
you
think
of
imports
as
a
kind
of
capability,
when
you
import
refile
from
FS
you're
you're
asking
for
the
ability
to
read
files
as
a
capability
you're
asking
for
the
permissions
to
read
files
and
actually
at
the
resolver
level,
we
can
have
a
security
model
because
you
could
just
throw
on
importing
from
FS
and
say
no
you're
not
allowed
to
do
porn
efforts.
So
pretreat
imports
in
JavaScript
as
capabilities,
then
we're
getting
something
similar
to
that.
B
Let
some
security
model
where
we've
now
determined
modules
and
Bijlee
into
secured
star
boxes,
and
we
can
control
the
network
capabilities.
We
know
that
secrets
from
organizational
secrets
go
on,
even
if
those
packages
of
modules
are
completely
hacked.
They
weren't
necessarily
have
access
to
these
things.
So
I
want
to
briefly
just
go
through
a
very,
very
clean
dino-man
wise.
These
security
models
and
II
know
it
does
something
like
this.
You
run
on
a
server
and
as
soon
as
you
run
that
soon
you
get
a
question,
this
is
app
is
requesting
network
access.
B
Do
you
want
to
groans?
It
need
a
few
options,
and
only
once
you
accept
that
is
the
is
the
server
it
hasn't
touched,
the
server
and
then
later
on.
It
requests,
read
access
to
a
file,
and
you
have
to
Grove
that
reacts
s
as
well
when
concern
with
that
is.
It
assumes
that
the
user
is
around
to
interact
with
the
person.
What,
if
they're
not?
Is
your
server
just
Brennan,
hiding
old
home,
so
I'm,
not
so
sure
about
that
there
is
another
way
to
grow.
B
These
permissions
on
start
up
with
three
flags,
which
seems
better
but
again
is
hold
on
location
Commission's.
So
that's
great
if
you're
running
an
application,
but
you
know
it's
just
going
to
take
in
text
and
spit
out
text,
but
as
soon
as
you've
got
any
interesting
application.
It's
probably
gonna
have
a
lot
of
permissions
and
then
you've
got
that
third
party
code
problem
that
any
third
party
code
is
can
have
those
same
permissions.
So
any
third
party
in
this
example,
if
you're
running,
is
everybody
current.
A
C
B
You
have
to
specify
explicitly
which
directories
are
access
and
once
those
directories
were
given
access.
The
idea
is
that
you
have
these
special
references
that
represent
those
directories
and
this
example.
The
key
word
on
the
score:
FD
and
temp
underscore
FD,
which
I
think
the
the
ultimate
goal
is
to
treat
them
like
references
to
in
JavaScript.
You
could
think
of
them
like
symbols
that
ideally
wouldn't
be
for
Janelle
I.
B
Think
right
now
they
actually
are
Portugal,
but
I
think
the
plan
is
for
them
not
to
be,
and
then,
when
you
load
a
file,
you
say
here's
my
special
symbol
for
this
folder
and
a
temp
folder
that
I
got
access
to
and
the
only
way
you
can
get
access
to
that
symbol
will
suppose
you
only
get
access
to
if
you've,
given
the
symbol.
So
if
you
don't
have
the
symbol,
you
don't
have
access,
so
you
can't
just
pour
just
string
it
and
make
it
up.
B
E
B
A
B
The
way
we're
doing
things
today,
not
suggesting
that
notice
overnight
influence
a
capabilities-based
security
model.
Rather,
the
question
is
we
have
no
J's
as
a
project
is
the
steering
force
of
JavaScript
that
does
not
run
in
the
browser
and
JavaScript
in
browser.
For
that
matter,
can
we
use
our
power
to
try
and
steer
this
ecosystem
in
a
unofficial
direction
and
for
those
companies
for
those
organizations
that
are
interested
in
getting
these
security
properties,
which
a
lot
of
companies
are
interested
in?
B
What
can
we
do
it
as
a
project
to
help
start
to
move
in
those
directions
that
they
can
potentially
wrap,
or
instead
of
I
would
say?
No,
it's
not
secure.
We're
gonna
go
through
our
project
like
say
for
something
you
know:
what
can
we
do
to
try
and
provide
those
properties
through
night
itself
and
unblock
that
work?
B
Allow
that
work
to
happen
on
top
of
node
not
getting
right
into
core,
but
just
on
top
and
user
land,
and
just
luck
well,
we
could
already
do
import
permissions
through
loaders
loaders
give
the
ability
to
hook
the
resolver,
which
means
you
can
provide
a
custom
in
offense
instance,
but
every
module
every
package
can
get
its
own
FS
with
its
own
script
permissions.
Well,
we
could
do
something
like
likewise
ease
capability.
Were
you
passing
it,
but
that's
a
bit
more
drastic,
but.
B
E
B
Be
able
to
get
these
import
most
security
properties
that
can
restrict
permission.
So
you
could
say
this
package
only
has
permission
to
the
network,
but
it
doesn't
have
permissions
to
the
file
system
and
it
doesn't
get
FS
and
you
could
just
restrict
it,
and
this
is
a
huge,
wide
open
space
to
explore.
But
if
we
can
start
exploring
it
in
New,
Zealand
I
think
would
be
very
interesting
to
see
where
things
go.
B
Here's
a
sort
of
a
complete
Mike
of
some
ideas.
Again.
This
is
literally
just
like
darling
downloads
and
it's
terrible.
But
if
you
can
control
the
imports
of
a
package,
so
you
say
the
local
project
can
only
import
FS
and
some
third-party
package
there.
Nobody
has
read
access
at
the
current
folder
and
a
third-party
package
doesn't
is
not
permitted
any
inputs
and
you
restrict
imports
by
just
saying
packages.
B
B
E
B
So
the
idea
is
to
restrict
only
imports
to
maybe
what's
in
the
dependencies
of
the
package.json,
so
you
treat
the
package.json
dependencies
as
a
sort
of
the
layer.
Word
says:
I
only
import
these
packages
and
then
maybe
think
about
what
hope
missions
you
have
and
then
I
was
thinking
sort
of
package
management
time.
So,
as
you
install
a
package,
you
kind
of
verify
the
permissions
then,
as
opposed
to
during
runtime,
like
Dino.
E
B
You
could
say:
I
can
see
what
these
packages
are
depending
on
it,
and
then
you
have
some
kind
of
policy
file.
That's
treated
like
a
lock
file
where
the
you
you
sort
of
know
what
each
package
is
accessing,
so
that
if
it
tries
to
change
in
security
policy
on
an
upgrade
path,
then
you
can
be
prompted
for
it
on
uninstall
and
and
then
read
prompts
and
again.
These
are
this
huge
usability
spaces.
E
F
B
We
can
deprecated
it's
a
global
the
process
and
do
not
have
to
infer
the
global
capabilities.
Then,
if
you
in
your
company
want
security,
and
you
can
execute
on
a
personal,
inconsistent
first
and
global
if
we
accept
that
we've
lost
the
war
on
time
is
and
just
allow
people
to
just
focus
on
the
ability
to
not
get
for
itself
and
assume
that
people
are
going
to
be
able
to
use
my
perspective,
discover
them,
then
we
can
play
around
with
imports
and
permission
models.
On
top
of
that,
and
that's.
B
B
Being
very
close
to
these
strong
security
properties,
so
you
can't
access
anything
else,
that's
and
then
you
get
package
security
models
so
just
as
an
example,
what
what's
münster?
So
how
does
this
mitigate
the
note1
its
security?
Well,
if
you
think
right
now,
we
have
this.
Every
dependency
in
your
app
has
full
access
to
everything.
B
B
F
F
B
Exfiltrated
other
secrets,
so
I
don't
actually
care
about
3
girls,
hearts.
If
that
ball
gets
hacked,
it's
got
access
to
fetch
and
the
read.
So
if
that
stays
on
or
anyone
because
I
can
share
organizational
secrets
and
n5
has
write
access,
so
that
can
probably
become
a
full
vertical
backdoor
situation.
But
we've
gone
from
having
5
dependencies
that
immediately
get
read
access
if
they
were
hacked
to
just
having
one
dependence
in
at
least
root
access
and
two
dependencies.
B
E
B
B
B
B
E
E
B
D
B
C
B
Uses
who
are
writing
atmosphere
modules
in
their
chance,
not
to
assume
that
the
global
process
is
available,
so
what
we're
doing
is
remaining
and
available
we're
making
it
a
get
to
it
gives
you
a
warning.
It
says:
please
don't
use
the
global
top
versus
now.
If
we
do
anything
less
than
that,
people
will
use
it,
they
will
publish
it
7:00
p.m.
it'll,
be
so
ingrained
and
they'll
be
able
to
change
it.
This
is
why
browsers
coin
the
duck
to
any
type
of
security
models
like
this,
because
they
have
all.