upvote

points

by dns_snek3 hours ago |
comments
upvoteby Ajedi323 hours ago|
next
[-]
And even in the ones that don't, having to wait until the project executes to begin its attack is a minor inconvenience for malware.
reply
upvoteby an0malous3 hours ago|
prev|
next
[-]
What other package managers do this? I don’t think Ruby does
reply
upvoteby dns_snek2 hours ago|
parent|
prev|
next
[-]
Most of them? Ruby gems have hooks, Python has setup.py, deb, rpm have them too (relevant if you're installing from 3rd party sources). Elixir/Mix doesn't technically execute code on install, but your language server builds the dependencies as soon as you open the project, which can execute arbitrary code.

Either way it misses the point, nobody just fetches code and removing post-install scripts wouldn't change much because you're going to run `npm run something` 5 seconds after you run `npm install`.

reply
upvoteby IshKebab2 hours ago|
parent|
prev|
[-]
Python does too I believe.

Really the reason not to allow that is for robustness, not security. You ideally don't want package installs doing random stuff to your system because package authors are generally bad at doing that sort of thing cleanly.

The security impact is relatively minimal because as other people have said, you just installed a package. What's the very next thing you're going to do? Compile/run it obviously.

reply
upvoteby oblio2 hours ago|
parent|
[-]
A lot of packages are pulled in to call minimal bits of the actual library. I obviously don't have any statistics on this but my instinct would say that for the average application only 5% of an average package is actually used.

So not running package installation scripts is a huge, massive problem.

reply
upvoteby IshKebab1 hours ago|
parent|
[-]
So what? Packages can just put their backdoors in some initialisation code that is always used.

It is possible that not running package installation scripts could improve security, but for that you need really good sandboxing/compartmentalisation of library code, e.g. with CHERI, WASI component model, or if all of your code must run in a secure context it probably helps.

But those situations are unfortunately rare in my experience.

reply
upvoteby matheusmoreira2 hours ago|
prev|
[-]
You're right. I said the same thing and got downvoted too. Don't let it discourage you.
reply