Skip to content

Latest commit

 

History

History
70 lines (59 loc) · 5.56 KB

attack-surface.md

File metadata and controls

70 lines (59 loc) · 5.56 KB

Attack Surface Analysis for yarnpkg/berry

Attack Surface: .yarnrc.yml Configuration Manipulation

  • Description: Attackers modify the .yarnrc.yml file to control Yarn's behavior, redirecting dependencies, injecting malicious plugins, or bypassing security checks.
  • Berry Contribution: Yarn Berry's core design centralizes configuration in .yarnrc.yml, making it a single, powerful point of control. This is a fundamental difference from older package managers.
  • Example: An attacker modifies .yarnrc.yml to change npmRegistryServer to a malicious registry, causing all installs to fetch compromised packages.
  • Impact: Complete compromise of the dependency chain, leading to arbitrary code execution.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Strict Code Review: Mandatory, in-depth code reviews for all .yarnrc.yml changes.
    • Automated Validation: CI/CD pipeline checks to validate .yarnrc.yml against a schema or known-good configuration.
    • Least Privilege: Minimize write access to .yarnrc.yml.
    • File Integrity Monitoring: Use FIM tools to detect unauthorized changes.
    • Regular Audits: Periodic audits of .yarnrc.yml for unexpected configurations.

Attack Surface: Malicious Yarn Plugins

  • Description: Attackers leverage Yarn's plugin system to introduce malicious code.
  • Berry Contribution: Yarn Berry's plugin architecture is a core feature, designed for extensibility. This inherent extensibility is the attack vector.
  • Example: An attacker publishes a malicious plugin that exfiltrates data during builds.
  • Impact: Varies, but can range from data theft to complete system compromise.
  • Risk Severity: High to Critical (plugin-dependent)
  • Mitigation Strategies:
    • Plugin Allowlist: Maintain a strict allowlist of approved plugins in .yarnrc.yml.
    • Source Verification: Only install plugins from trusted sources; examine source code if possible.
    • Regular Updates: Keep plugins updated.
    • Monitoring: Monitor plugin behavior for suspicious activity.

Attack Surface: PnP Hijacking (.pnp.cjs / .pnp.data.json Manipulation)

  • Description: Attackers modify the files generated by Yarn's Plug'n'Play (PnP) system to control module resolution.
  • Berry Contribution: PnP is a defining feature of Yarn Berry, replacing the traditional node_modules directory. This is a fundamental architectural change.
  • Example: An attacker modifies .pnp.cjs to redirect a module import to a malicious file.
  • Impact: Arbitrary code execution when the hijacked module is loaded.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Treat as Code: Treat .pnp.cjs and .pnp.data.json as critical build artifacts, subject to code review and integrity checks.
    • File Integrity Monitoring: Use FIM to detect unauthorized changes.
    • Immutable Builds: Ensure builds are immutable in CI/CD environments.
    • Regular Regeneration: Periodically regenerate PnP files from a clean state.

Attack Surface: Cache Poisoning (Shared or Zero-Installs)

  • Description: Attackers compromise the Yarn cache to inject malicious packages.
  • Berry Contribution: Yarn Berry's structured cache, especially when used with "zero-installs" (cache checked into the repository), creates a more direct and persistent attack target. The zero-install approach is a Berry-promoted practice.
  • Example:
    • Shared Cache: Compromise of a shared CI/CD cache server.
    • Zero-Installs: A pull request modifies the checked-in cache to include a backdoored package.
  • Impact: Arbitrary code execution.
  • Risk Severity: High to Critical (depending on cache usage)
  • Mitigation Strategies:
    • Shared Cache Security: Heavily secure shared cache servers; use dedicated artifact repositories with strong security.
    • Zero-Installs Code Review: Treat the cache directory as code; rigorous code review for any changes.
    • Cache Verification: Implement mechanisms to verify cache integrity.
    • Immutable Cache Keys: Use immutable cache keys (e.g., content hashes).
    • Regular Cache Clearing: Periodically clear and rebuild the cache.

Attack Surface: Environment Variable Manipulation (YARN_RC_FILENAME)

  • Description: Attackers control environment variables to point Yarn to a malicious configuration file.
  • Berry Contribution: Yarn Berry's behavior can be significantly altered via environment variables, providing an alternative attack vector if direct file modification is not possible. The YARN_RC_FILENAME is specific way how to configure yarn.
  • Example: An attacker with access to the CI/CD environment sets YARN_RC_FILENAME to /tmp/evil.yml.
  • Impact: Similar to direct .yarnrc.yml manipulation.
  • Risk Severity: High
  • Mitigation Strategies:
    • Environment Variable Sanitization: Strictly control and sanitize environment variables.
    • Least Privilege: Run build processes with minimal privileges.
    • Configuration Hardening: Prefer .yarnrc.yml over environment variables for critical settings.