简体繁体 English

作为维护者和发布者，如何声明 npm package 中的安全漏洞？

[英]How does one declare a security vulnerability in an npm package as the maintainer and publisher?

原文 2021-01-27 10:20:01 6 1 javascript/ node.js/ security/ npm/ npm-audit

When I find a security vulnerability in one of my own published packages, how can I flag a range of susceptible versions, so that downstream consumers will be notified when they run npm audit ?当我在自己发布的一个包中发现安全漏洞时，如何标记一系列易受攻击的版本，以便下游消费者在运行npm audit时收到通知？

1 个解决方案

Essentially you don't flag a range of susceptible versions per se.本质上，您不会标记一系列易受攻击的版本本身。 Instead you report it/them directly to NPM via the “Report malware” button that can be found on the specific npm package page at www.npmjs.com . Instead you report it/them directly to NPM via the “Report malware” button that can be found on the specific npm package page at www.npmjs.com . The npm Security team then triages the report, and they flag it in the database. npm 安全团队随后对该报告进行分类，并在数据库中对其进行标记。 Users are then notified accordingly when running the npm audit command.然后在运行npm audit命令时相应地通知用户。

For further details refer to this post in the npm blog.有关详细信息，请参阅 npm 博客中的这篇文章。 Whilst the npm blog has been discontinued, AFAIK the process for reporting a security vulnerability is much the same.虽然 npm 博客已停产，但 AFAIK 报告安全漏洞的过程大致相同。

Quoted below are the pertinent parts regarding the information that you need to provide to NPM about the vulnerability...下面引用的是有关您需要向 NPM 提供有关该漏洞的信息的相关部分...

_{Source: https://blog.npmjs.org/post/179430064885/writing-quality-vulnerability-reports.html}_{资料来源： https://blog.npmjs.org/post/179430064885/writing-quality-vulnerability-reports.html}

In order for us to make sure reported vulnerabilities are handled rapidly and effectively, we need you, our community, to provide us with actionable, detailed information.为了让我们确保快速有效地处理报告的漏洞，我们需要您，我们的社区，为我们提供可操作的详细信息。 Here's some basic do's and don'ts for your security report:以下是您的安全报告的一些基本注意事项：

What should be included in a quality security report质量安全报告中应包含哪些内容

The package name and version where you experienced the vulnerability.您遇到此漏洞的 package 名称和版本。 Example: marked@1.0.0 or marked@*示例：标记@1.0.0 或标记@*

A short description of the vulnerability and its impact.漏洞及其影响的简短描述。 Example : “If a user is able to control input into the function foo then the user is able to execute commands giving the attacker the same access as the user running the application.”示例：“如果用户能够控制对 function foo 的输入，则用户能够执行命令，为攻击者提供与运行应用程序的用户相同的访问权限。”

Details of the environment in which you experienced the vulnerability.您遇到漏洞的环境的详细信息。 Example : “This was found to be exploitable using node.js 6.0.0 on OSX, but was not tested using any other platform or Node.js version.”示例：“在 OSX 上使用 node.js 6.0.0 可以利用此漏洞，但未使用任何其他平台或 Node.js 版本进行测试。”

A demonstrable proof of concept or steps to reproduce the same result.可证明的概念证明或重现相同结果的步骤。 This helps the npm Security team efficiently triage the issue (see the example below).这有助于 npm 安全团队有效地对问题进行分类（参见下面的示例）。

Any particular references, code snippets, or documents that might help the npm Security team or the maintainer better understand (see the example below).任何可能有助于 npm 安全团队或维护者更好地理解的特定参考、代码片段或文档（参见下面的示例）。

What should not be reported什么不应该报告

Reports without actionable context are very time-consuming for our team to adequately process.没有可操作上下文的报告对于我们的团队进行充分处理非常耗时。 These requests should go to the package maintainer in the form of an issue.这些请求应 go 以问题的形式发送给 package 维护者。

The output of npm audit - As the npm Security team already knows about these flaws, it's better to reach out to the maintainer directly to update dependency versions. npm 审计的 output - 由于 npm 安全团队已经知道这些缺陷，最好直接联系维护人员以更新依赖版本。

General feature requests一般功能要求

Stack traces or errors without explanation as to what security impact they have.堆栈跟踪或错误没有解释它们有什么安全影响。