amp-toolbox icon indicating copy to clipboard operation
amp-toolbox copied to clipboard

Published 20 hours ago verified publisher icon ampproject

Support Offline CI Environments - validation schema `postinstall` download is a security issue

Open mmmeff opened this issue 4 years ago • 1 comments

The @ampproject/toolbox-optimizer package attempts to communicate with external servers in my CI environment when building my project.

External network traffic at build time is arguably a Bad Idea™ - my organization runs its CI builds with blocked network access to prevent any potential source/secret leaks from bad actors on NPM. Since this package's postinstall script involves making network requests for validation rules, amp-toolbox is effectively broken in my environment.

Fetching new validation rules from an external source may seem like a convenient way to bypass publishing and deployment mechanisms, but this practice violates semver best practices by allowing for breaking changes to go out to consuming packages. The best course of action here is to tie validation rules to new patch/minor/major versions like the rest of your code and bundle the validation schema with this package as a dependency.

mmmeff avatar Jul 08 '20 15:07 mmmeff

Thanks for flagging this. I agree it's not ideal. The validation rules are not the main problem here. The main problem is that we need to get the latest AMP runtime version and runtime css. These should always be up-to-date and match the latest AMP runtime served from cdn.ampproject.org. We download them to avoid that users need to update optimizer every two weeks.

I've considered syncing optimizer releases with AMP runtime releases and always include the latest version for better offline support, but so far I'm not convinced that it's worth the effort. You can also manually provide validation rules, runtime version and css to avoid network calls during build.

Sidenotes:

  1. The postinstall script is not critical and it's OK to fail (it's mostly a DevX feature to ensure that optimizer works when offline). Transformation needs network access though.
  2. Breaking changes are not a concern here as validation rules are always going to be backward compatible (otherwise all published AMP documents might suddenly break).

sebastianbenz avatar Jul 08 '20 18:07 sebastianbenz