Skip to content

Latest commit

 

History

History
92 lines (70 loc) · 8.21 KB

mitigations.md

File metadata and controls

92 lines (70 loc) · 8.21 KB

Mitigation Strategies Analysis for vercel/turborepo

Mitigation Strategy: Strong Cache Key Validation and Integrity Checks

  • Mitigation Strategy: Strong Cache Key Validation and Integrity Checks

    • Description:

      1. Cache Key Generation (Turborepo-Specific):
        • Within your turbo.json configuration, carefully define the inputs for each task. These inputs directly influence the cache key.
        • Ensure that inputs accurately reflect all factors that should affect the task's output. This includes:
          • Source files (using glob patterns).
          • Relevant environment variables (using the $VAR syntax).
          • Dependencies (Turborepo automatically considers package dependencies, but you may need to explicitly include other files).
          • Command-line arguments (if they affect the output).
        • Use the most specific glob patterns possible to avoid including unnecessary files in the cache key.
        • If you have custom logic for generating cache keys (e.g., using a script), ensure this logic is secure and deterministic. Avoid using external sources of randomness or user-provided input without thorough validation.
        • Consider using Turborepo's dependsOn field to explicitly declare dependencies between tasks. This helps Turborepo understand the relationships between tasks and generate more accurate cache keys.
      2. Cache Integrity Checks (Before Use - Turborepo-Specific):
        • While Turborepo doesn't have built-in post-cache-creation integrity checks, you must implement this externally. This is crucial.
        • Hashing: Before using a cached artifact (which you'll need to locate in the .turbo/ directory or your configured remote cache), recalculate its SHA-256 hash.
        • Hash Storage: Store the expected hash separately from the cached artifact.
        • Comparison: Compare the recalculated hash with the stored expected hash.
        • Digital Signatures (Optional): Similar to hashing, but using digital signatures for stronger verification.

    • Threats Mitigated:

      • Cache Poisoning (High Severity): Prevents attackers from injecting malicious code by ensuring only artifacts with matching inputs are used.
      • Cache Tampering (High Severity): Detects modifications to cached artifacts after Turborepo has placed them in the cache.
      • Dependency Confusion (Medium Severity): Indirectly helps by ensuring dependency changes invalidate the cache.

    • Impact:

      • Cache Poisoning: Risk significantly reduced (when combined with external integrity checks).
      • Cache Tampering: Risk significantly reduced (requires external integrity checks).
      • Dependency Confusion: Risk moderately reduced.

    • Currently Implemented: [ Example: inputs are defined in turbo.json, but external hash verification is not yet implemented. ] (Fill this in)

    • Missing Implementation: [ Example: External hash verification and secure hash storage are missing. inputs may not be fully comprehensive for all tasks. ] (Fill this in)

Mitigation Strategy: Task Execution Safeguards (Turborepo Configuration)

  • Mitigation Strategy: Task Execution Safeguards (Turborepo Configuration)

    • Description:

      1. turbo.json Configuration:
        • Carefully review and audit the tasks defined in your turbo.json file.
        • Ensure that the command for each task is secure and does not contain any potential vulnerabilities (e.g., command injection).
        • Use the most specific inputs and outputs for each task to minimize the scope of the cache and reduce the risk of unintended side effects.
        • Avoid using overly broad glob patterns in inputs and outputs.
        • If you are using environment variables in your commands, ensure they are properly sanitized and validated.
        • Use the dependsOn field to explicitly define dependencies between tasks. This helps Turborepo understand the task graph and execute tasks in the correct order, reducing the risk of race conditions or unexpected behavior.
      2. Input Validation (within turbo.json context):
        • If any environment variables or command-line arguments are passed to Turborepo tasks (and used within the command), ensure these are validated before Turborepo uses them. This validation should happen outside of Turborepo itself (e.g., in a pre-build script), but the usage of these validated values is within the turbo.json context.
      3. Avoid Shell=True (Implicit in Turborepo):
        • Turborepo, by its nature, executes commands. Be extremely cautious about how commands are constructed, especially if they incorporate any external input. The principles of avoiding shell injection apply directly to the command strings within turbo.json.

    • Threats Mitigated:

      • Task Execution Hijacking (High Severity): Prevents attackers from injecting malicious commands into the turbo.json file.
      • Command Injection (High Severity): Careful command construction and input validation within the turbo.json context prevent exploitation.
      • Malicious Code Execution (High Severity): Prevents the execution of arbitrary code through compromised tasks.

    • Impact:

      • Task Execution Hijacking/Command Injection: Risk significantly reduced by secure configuration and input validation.
      • Malicious Code Execution: Risk significantly reduced.

    • Currently Implemented: [ Example: turbo.json is reviewed, but input validation for environment variables is handled inconsistently. ] (Fill this in)

    • Missing Implementation: [ Example: A consistent, centralized approach to validating environment variables used in turbo.json commands is missing. ] (Fill this in)

Mitigation Strategy: Denial of Service (DoS) Protection for Remote Cache (Turborepo Configuration & Provider)

  • Mitigation Strategy: Denial of Service (DoS) Protection for Remote Cache (Turborepo Configuration & Provider)

    • Description:

      1. Turborepo Configuration (Limited Impact):
        • While Turborepo itself doesn't have direct DoS protection features, you can indirectly influence this through careful configuration:
          • Minimize Cache Size: By being precise with your inputs and outputs in turbo.json, you can minimize the overall size of your cache, reducing the potential impact of a storage-based DoS attack.
          • Avoid Unnecessary Caching: Don't cache tasks that are very fast to execute or that change frequently.
      2. Remote Cache Provider Configuration (Primary Defense):
        • Rate Limiting: Configure rate limiting at the provider level (e.g., AWS S3, Azure Blob Storage, Vercel). This is not a Turborepo setting, but it's crucial for protecting your Turborepo remote cache.
        • Quota Management: Set storage quotas at the provider level.
        • Monitoring and Alerting: Configure monitoring and alerting at the provider level.

    • Threats Mitigated:

      • Denial of Service (DoS) against the Cache (Medium Severity): Prevents attackers from overwhelming the cache.

    • Impact:

      • DoS: Risk significantly reduced (primarily through provider-level controls).

    • Currently Implemented: [ Example: Using Vercel's built-in caching, which has some inherent DoS protection. No custom rate limiting or quotas are configured. ] (Fill this in)

    • Missing Implementation: [ Example: Explicit rate limiting and quota configuration at the provider level are missing. Monitoring and alerting are not specifically tailored for cache DoS. ] (Fill this in)