Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue: Risk of Dependency Confusion with scancode-workbench #635

Open
2 tasks
PlayerIUnknown opened this issue Dec 25, 2024 · 1 comment
Open
2 tasks

Security Issue: Risk of Dependency Confusion with scancode-workbench #635

PlayerIUnknown opened this issue Dec 25, 2024 · 1 comment

Comments

@PlayerIUnknown
Copy link

PlayerIUnknown commented Dec 25, 2024
edited
Loading

Description

I have identified a potential security risk related to a Dependency Confusion vulnerability within our project. Our package.json refers to the package named scancode-workbench, which, according to our findings, does not exist on the public npm registry. This poses a risk that a malicious package could be uploaded to npm with the same name, leading our build systems to accidentally pull and use the malicious package instead of our intended local or private repository package.

Affected Package

Package Name: scancode-workbench
Current Usage: Referenced in package.json as the project name and included as a dependency.
Version: 4.0.3

Risk Impact

If an attacker were to upload a malicious package to npm under the scancode-workbench name with a higher version number, they could execute arbitrary code within our systems or steal sensitive data, depending on how the package is utilized within our projects.
Every single time anyone would use the command npm install pkg name, the malicious package would be fetched. Even in automated pipelines, the higher version number of the malicious package on the public registry would cause a public vs private dependency confusion and might make systems fetch the malicious version of our package.

Steps to Reproduce

  1. Check the npm registry for scancode-workbench: [(https://registry.npmjs.org/scancode-workbench)]
  2. Observe that the package does not exist on npm, presenting a risk for dependency confusion attacks.

Proposed Solutions

To mitigate this risk, we have a couple of options:

  1. Claim the Package Name on npm: By claiming the package name on npm, we can prevent unauthorized parties from uploading a malicious package with the same name. This involves creating a minimal, benign package under the scancode-workbench name to reserve it.

  2. Mark the Package as Private: If the package is intended for internal use only and not meant to be published, we should specify this in our package.json by adding "private": true. This ensures that npm will refuse to publish it, avoiding any accidental exposure.

    Example:

    {
  "name": "scancode-workbench",
  "version": "4.0.3",
  "private": true,
  "description": "An application for viewing ScanCode results and concluding component origin and license"
}

Action Required

  • Decide on claiming the package name or marking it as private.
  • Implement the chosen solution to secure our package management workflow.

Additional Information

  • Reviewing our internal dependency management policies to avoid similar issues in the future.
  • Ensuring all developers are aware of the implications of public vs. private packages in npm.
@OmkarPh
Copy link
Collaborator

OmkarPh commented Jan 4, 2025
edited
Loading

We're not trying to install scancode-workbench anywhere, however we might still want to claim the name.
What do you think @AyanSinhaMahapatra @pombredanne ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OmkarPh @PlayerIUnknown