Mike Samuel

icon indicating a website link https://types.pl/@mvsamuel icon indicating an email [email protected]

icon location Denver, CO icon location Programming languages ∩ security. Previously, Google technical infrastructure.

Results 183 comments of Mike Samuel

"Keeping your dependencies close" does not address industry practice re private NPM registries

> I would add the criteria that you listed above in the document, as Artifactory is a product from a vendor I would like that the guide lists the properties...

"Keeping your dependencies close" does not address industry practice re private NPM registries

https://nodesecroadmap.fyi/chapter-4/close_dependencies.html includes the rewrite. The static file server has a cache timeout of 30min so if you see the old version, a hard browser refresh should suffice.

Secure Node

@prettydiff > A major concern of any security sensitive organization is data exfiltration. I do have a security concern with Node in that access to the file system is unrestricted...

Secure Node

@prettydiff > The more common worry from an enterprise management perspective is always the insider threat > There are many security problems that Node shouldn't solve as they are better...

Secure Node

@Trott, I think it can transfer to security-wg. @prettydiff Relevant to > my thinking is to reduce these risks by limiting execution of certain APIs behind privilege escalation. Per https://github.com/nodejs/security-wg/issues/409...

Offering my REDOS tools

@davisjam Given a source tree, `/.../` style RegExps are easy to find but I wonder if we could get dynamically created RegExps in test-covered code to your analyzer. If a...

Offering my REDOS tools

Do you have a sense of how much of the ReDoS attack surface is application-defined RegExps vs RegExps in common dependencies vs attacker-controlled RegExps?

Offering my REDOS tools

I'm afraid I mostly have library code as well. These use dynamic RegExps. * [An old code highlighter](https://github.com/google/code-prettify/blob/453bd5f51e61245339b738b1bbdd42d7848722ba/src/prettify.js#L1047-L1057) * [Some very meta RegExps for a stalled TC39 proposal](https://github.com/mikesamuel/regexp-make-js/blob/ca28272fe19d22657842aac6bcaf116d39c1b69e/RegExp.make.js#L715-L733) * [A...

Include the string to be compiled in the call to `HostEnsureCanCompileStrings`

> Similarly, for Function() and its various friends (GeneratorFunction(), AsyncFunction()), do we handle arg coercion before or after HostEnsureCanCompileStrings? This would change which error is thrown when doing e.g. Function({...

Include the string to be compiled in the call to `HostEnsureCanCompileStrings`

> this is now merged into https://github.com/tc39/proposal-dynamic-code-brand-checks, right? @koto, correct. https://tc39.es/proposal-dynamic-code-brand-checks/#sec-hostbeforecompilevalue