Skip to content

Latest commit

 

History

History
111 lines (82 loc) · 8.53 KB

mitigations.md

File metadata and controls

111 lines (82 loc) · 8.53 KB

Mitigation Strategies Analysis for evanw/esbuild

Mitigation Strategy: Careful Plugin Selection and Vetting

1. Mitigation Strategy: Careful Plugin Selection and Vetting

  • Description:

    1. Establish a Plugin Approval Process: Before adding any esbuild plugin, require a review process. This could involve a designated team member or a security review checklist.
    2. Source Code Review: Download the plugin's source code (not just the installed package) from its repository (e.g., GitHub, GitLab).
    3. Dependency Analysis: Examine the plugin's package.json to identify its dependencies. Recursively review these dependencies, applying the same vetting process.
    4. Code Inspection:
      • Look for obfuscated code (minified code without source maps is a red flag).
      • Identify any network requests (using fetch, http, https modules). Understand their purpose and destination.
      • Check for file system access (using fs module). Ensure it's limited to the expected scope.
      • Search for dynamic code evaluation (e.g., eval, new Function). These are highly dangerous.
      • Look for any interaction with the environment (e.g., accessing environment variables).
    5. Reputation Check: Search for information about the plugin author and any reported issues or vulnerabilities.
    6. Documentation Review: Read the plugin's documentation carefully. Look for clear explanations of its functionality and security considerations.
    7. Small Scope Preference: Favor plugins with a limited, well-defined purpose. Avoid "kitchen sink" plugins that do too much.
    8. Regular Audits: Periodically repeat this process for existing plugins, especially after updates.

  • Threats Mitigated:

    • Malicious Code Injection (Severity: Critical): Prevents plugins from injecting arbitrary code into the build output, which could lead to remote code execution (RCE) on the server or in users' browsers.
    • Data Exfiltration (Severity: High): Reduces the risk of plugins stealing sensitive data (e.g., API keys, environment variables) during the build process.
    • Build System Compromise (Severity: High): Limits the ability of a malicious plugin to compromise the build server itself (e.g., installing backdoors, modifying system files).
    • Supply Chain Attacks (Severity: Critical): Mitigates the risk of compromised dependencies within the plugin introducing vulnerabilities.

  • Impact:

    • Malicious Code Injection: Significantly reduces the risk.
    • Data Exfiltration: Significantly reduces the risk.
    • Build System Compromise: Significantly reduces the risk.
    • Supply Chain Attacks: Moderately reduces the risk (further mitigated by dependency pinning).

  • Currently Implemented:

    • Partially Implemented: We have a basic checklist for new plugins, but it's not consistently enforced. Code reviews are sometimes performed, but not always thoroughly. The checklist is in the docs/security/build_process.md file.

  • Missing Implementation:

    • Formal Approval Process: No formal approval process or designated security reviewer for plugins.
    • Recursive Dependency Analysis: We don't consistently analyze the dependencies of plugins.
    • Regular Audits: No scheduled audits of existing plugins.
    • Automated Checks: No automated tools are used to assist with code analysis.

Mitigation Strategy: Strict Sanitization of define and inject

2. Mitigation Strategy: Strict Sanitization of define and inject

  • Description:

    1. Avoid User Input: The primary strategy is to avoid using user-supplied data directly in esbuild's define or inject options.
    2. Trusted Sources: Use environment variables, configuration files, or build-time constants instead.
    3. Whitelist Approach: If user input is absolutely necessary, use a strict whitelist. Define a set of allowed values and reject anything that doesn't match.
    4. Input Validation: Validate the input against the whitelist before passing it to esbuild.
    5. Type Checking: Ensure the input is of the expected data type (e.g., string, number, boolean).
    6. Context-Specific Sanitization: If the input is used in a specific context (e.g., as a JavaScript identifier), apply appropriate sanitization for that context. However, this is complex and error-prone; avoid it if possible.
    7. Avoid eval and new Function: Never use eval or new Function to process user input, even indirectly through define or inject.
    8. Testing: Thoroughly test the sanitization and validation logic with various inputs, including edge cases and potential attack vectors.

  • Threats Mitigated:

    • Code Injection (Severity: Critical): Prevents attackers from injecting arbitrary JavaScript code through user-supplied values passed to esbuild's define or inject.

  • Impact:

    • Code Injection: Significantly reduces the risk if implemented correctly. However, incorrect sanitization can still lead to vulnerabilities.

  • Currently Implemented:

    • Partially Implemented: We primarily use environment variables for define, but there's one instance where a build script takes a version string from a Git tag. This is validated to be a semantic version string, but it's not a strict whitelist.

  • Missing Implementation:

    • Whitelist for Version String: The version string input should be checked against a whitelist of allowed characters (e.g., digits, periods, and hyphens) and a maximum length.
    • Formal Review of define Usage: A comprehensive review of all define and inject usage is needed to ensure no other potential vulnerabilities exist.

Mitigation Strategy: Disable or Restrict Source Maps in Production

3. Mitigation Strategy: Disable or Restrict Source Maps in Production

  • Description:

    1. Disable Source Maps: For production builds, use the --sourcemap=false flag or set sourcemap: false in your esbuild configuration.
    2. External Source Maps (If Needed): If source maps are required for debugging, use --sourcemap=external. This creates separate .map files. Crucially, this is still an esbuild-specific configuration.
    3. Linked Source Maps (If Needed): If you need to link map files, use --sourcemap=linked.
    4. Inline Source Maps (Avoid): Avoid using --sourcemap=inline in production, as this embeds the source map directly in the JavaScript file.

  • Threats Mitigated:

    • Source Code Exposure (Severity: Medium to High): Prevents attackers from accessing your original source code, which could reveal sensitive information, intellectual property, or potential vulnerabilities.

  • Impact:

    • Source Code Exposure: Eliminates the risk if source maps are disabled. Significantly reduces the risk if external source maps are used (combined with server-side restrictions, which are not esbuild-specific).

  • Currently Implemented:

    • Fully Implemented: We disable source maps in production builds (--sourcemap=false).

  • Missing Implementation:

    • None.

Mitigation Strategy: Dedicated Output Directory

4. Mitigation Strategy: Dedicated Output Directory

  • Description:

    1. Dedicated outdir: Configure esbuild using the outdir option to output to a dedicated directory (e.g., dist, build, public). Alternatively, use outfile for single-file outputs.
    2. Separate from Source: This directory should be completely separate from your source code directory.

  • Threats Mitigated:

    • Sensitive File Exposure (Severity: High): By using a dedicated output directory specified within the esbuild configuration, you reduce the risk of accidentally including sensitive files in the build output that might then be deployed. This is a direct consequence of how esbuild is configured.

  • Impact:

    • Sensitive File Exposure: Significantly reduces the risk.

  • Currently Implemented:

    • Fully Implemented: We use a dedicated dist directory for output, configured via the outdir option in our esbuild configuration.

  • Missing Implementation:

    • None.