Security of Packages

[salmenf]

Widgets are distributed as NPM packages, and WebWriter installs these packages on the user's machine using a package manager. As such, all scenarios and mitigations of NPM packages in general apply. https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html

Scenarios:

1. Malicious Package: An attacker authors a malicious package and publishes it on NPM so that WebWriter can find it. The user installs it and a script is executed on the user machine.
   1a. Typo-squatting/Trojan: An attacker typo-squats an existing widget package and copies the metadata to appear the same.
2. Dependency chain attack: An attacker gains control of a package that widget packages depend upon, leading to the same issues as (1).
3. Package Spam: An attacker may publish spam packages that get picked up by WebWriter and are displayed to authors. This may even happen unintentionally if the webwriter-widget keyword is used.

Mitigations:

• Do not execute scripts on package installation (--ignore-scripts) -> This would allow malicious package to execute arbitrary code. (mitigates 1, 2)
• Deny installation if lockfile and package.json differ (--frozen-lockfile) -> This makes builds deterministic and avoids security issues introduced by updates anywhere in the dependency tree (mitigates 2) BUT introduces the burden of consistent lockfiles on developers
• Publish an allowlist and hide results not on the allowlist by default, e.g. allowing by organization name (mitigates 3) BUT adds a maintenance burden