POLA Would Have Prevented the Event-Stream Incident

Andrea Giammarchi andrea.giammarchi at gmail.com
Tue Dec 4 03:20:27 UTC 2018

It's a great read and it makes sense in some case, but it also reminds me
too much how Android Apps, and their incremental permission model, work.

If an App had granted access to read or write files, and the company behind
such App changes, or its developers change, the permission remains but what
it is used for, becomes uncertain.

In that case, the Store supposed to be the filter to grant the new version
of the app doesn't do anything malicious, and that is IMO what's missing in
the `npm` world, which is more relevant than dropping global privileges,
'cause specially in the NodeJS world, most module need `fs` for a reason or

In those cases, POLA wouldn't make much of a difference, unless the
permission is not for the usage the `fs` module, rather the directories
such module should be able to crawl.

On the Web there are already various ways to secure the network, and CSP or
CORS are just few. In NodeJS though, there are also native modules nobody
looks even at their source code, and having a "trusted revision" per each
version, open to every module author might be, as impractical as it
sounds, the best option to avoid future issues.

I think the event-stream case showed many broken rings of the Open Source
chain and no-one to blame for it 'cause such chain is knowingly broken but
we're OK with it.

As mentioned in a tweet, since that "scandal" happened, people kept adding
stars to projects I've officially deprecated, providing more recent,
robust, and actively maintained alternatives.

Maybe I should just pass ownership of these modules (one of these has 13M
downloads per months) and laugh at how much nobody learns anything from the
past if something like event-stream happens again (no, I'm not planing to
do that, but I often wonder if I should).

Best Regards

On Tue, Dec 4, 2018 at 5:19 AM Mark Miller <erights at gmail.com> wrote:

> The npm / event-stream incident is the perfect teaching moment for POLA
> (Principle of Least Authority), and for the need to support least authority
> for JavaScript libraries.
> https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99
> by Kate Sills (cc'ed) explains the point. The links at the end of Kate's
> article are worth following. In particular:
> Securing EcmaScript, presentation to Node Security
> https://www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2 is
> my presentation explaining many of these issues *prior to* this particular
> incident.
> At the recent (November 2018) tc39 meeting, I presented on the
> enhancements needed to support least authority for JavaScript modules and
> libraries, adequate to have prevented this incident.
> Besides es-discuss
> https://news.ycombinator.com/item?id=18590116
> would be a good place to discuss these issues.
> --
>   Cheers,
>   --MarkM
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20181204/fa8fe66a/attachment.html>

More information about the es-discuss mailing list