auto-install icon indicating copy to clipboard operation
auto-install copied to clipboard

Published 20 hours ago verified publisher icon siddharthkp

Some thinking to discuss a way to fix the RCE issue

Open darxtrix opened this issue 8 years ago • 2 comments

Hey,

Attended your session at JSFoo today, liked the answers !

Just wanted to discuss an approach through which Remote Code execution chances can be brought to a very low percentage. This approach can be used

  1. Install the package in a sandbox env, for eg. superagent
  2. Unless it is used in the code, don't install in main repo, prevent installation before somebody does this:
superagent.get(----)

Then make sure that get method is there corresponding to superagent that is installed in sandbox env, if it is there, then install it. I think this methodology will significantly decrease the chances of RCE ?

darxtrix avatar Sep 15 '17 17:09 darxtrix

Ah this is super interesting. Any idea on how do you detect usage in a generic way?

siddharthkp avatar Sep 15 '17 19:09 siddharthkp

Mostly all my sunny days go by writing Python, will try to figure out something during the conference.

darxtrix avatar Sep 15 '17 20:09 darxtrix