Stream: implementers
Topic: global npm registry for profiles
nicola (RIO/SS) (Aug 23 2021 at 13:48):
Why don't we publish (at least core IGs) into global npm registry?
nicola (RIO/SS) (Aug 23 2021 at 13:56):
This is inconvenient and looks like security problem image.png
Lloyd McKenzie (Aug 23 2021 at 14:13):
@Mark Iantorno
Grahame Grieve (Aug 23 2021 at 19:05):
no security advisories found for hl7.fhir.us.core
where are you looking?
Grahame Grieve (Aug 23 2021 at 19:10):
it's pretty bizarre since the actual package contains no code
nicola (RIO/SS) (Aug 23 2021 at 19:39):
Eric Prud'hommeaux (Aug 23 2021 at 19:41):
direct link: https://www.npmjs.com/package/hl7.fhir.us.core
Eric Prud'hommeaux (Aug 23 2021 at 19:44):
interesting, i've never seen this before. the security message replaces the orig link to the repo. anyone got it?
Grahame Grieve (Aug 23 2021 at 19:47):
I don't really know npmjs.com... surely there's a way to find out who published a package? Because I can't see here, it's almost like the security notification was created from scratch
nicola (RIO/SS) (Aug 23 2021 at 19:58):
npmjs is central npm packages repository
nicola (RIO/SS) (Aug 23 2021 at 19:58):
if you run npm install it will search the package in npmjs.com
Grahame Grieve (Aug 23 2021 at 20:03):
right. that much I did know. But how do you find out who published a package?
Grahame Grieve (Aug 23 2021 at 20:03):
And why would that package be called a security risk when it only contains json?
Eric Prud'hommeaux (Aug 23 2021 at 20:05):
normally, packages are associated with a repo and a list of collaborators, e.g. https://www.npmjs.com/package/@shexjs/shape-path-query
Eric Prud'hommeaux (Aug 23 2021 at 20:06):
the prob is that we don't have access to that 'cause someone at npm, probably acting in good faith, replaced the entry in the db with the entry for security-holder
Grahame Grieve (Aug 23 2021 at 20:07):
can we ask? I'm at a loss where to go from here...
Eric Prud'hommeaux (Aug 23 2021 at 20:07):
kinda makes sense to do that with dire security threats but it leaves us without a lot of threads to pull on for debugging
Eric Prud'hommeaux (Aug 23 2021 at 20:07):
i'm pestering some folks
Eric Prud'hommeaux (Aug 23 2021 at 20:08):
(but no one with any connections. hopefully, that will come)
Chris Moesel (Aug 23 2021 at 20:08):
I don't know how you find out who originally published it (prior to npm's security placeholder), but we shouldn't assume it only contained JSON. If it was truly a nefarious actor, then they likely did upload it with nefarious (non-JSON) code, squatting on the name and hoping to take some of us unaware.
Grahame Grieve (Aug 23 2021 at 20:08):
well, that's possible, I guess
Eric Prud'hommeaux (Aug 23 2021 at 20:08):
so we have no idea of what should be there?
Grahame Grieve (Aug 23 2021 at 20:09):
https://simplifier.net/packages/hl7.fhir.us.core/4.0.0
Eric Prud'hommeaux (Aug 23 2021 at 20:10):
npm --registry https://packages.simplifier.net install hl7.fhir.us.core@4.0.0 suggests to me that it was never published on npm
Eric Prud'hommeaux (Aug 23 2021 at 20:11):
probably some dickwad has a script that googles for --registry and tries to impersonate the mentioned package name at npmjs.com
Eric Prud'hommeaux (Aug 23 2021 at 20:13):
i'm filing an issue at https://www.npmjs.com/support presuming my theory above
Grahame Grieve (Aug 23 2021 at 20:14):
hmm ok. but there's only two packages I can see. hl7.fhir, which is a non-package, and hl7.fhir.us.core. But there's 100s of others...
Eric Prud'hommeaux (Aug 23 2021 at 20:15):
indicating that the squatting isn't well-automated?
Eric Prud'hommeaux (Aug 23 2021 at 20:16):
(maybe we can sell them some software that improves their squatting efficacy)
Chris Moesel (Aug 23 2021 at 20:21):
I was able to find a little bit more info by using the npm view hl7.fhir.us.core time command. It provided the following:
{
'3.1.1': '2021-02-20T08:10:30.793Z',
created: '2021-02-21T15:12:37.873Z',
'0.0.1-security': '2021-02-21T15:12:37.998Z',
modified: '2021-02-21T15:12:40.556Z'
}
So we know that version that was declared when it was initially uploaded was v3.1.1. It was uploaded Feb 20 and GitHub took it down Feb 21. I tried to find out contributor info for the 3.1.1 version, but GH wasn't coming back w/ any of that.
It also could have been totally unintentional. We really don't know. It's pretty easy via the npm commandline to publish any arbitrary package if it's a unique name. All it would have taken is for someone to be in the US Core source code repo (with its local package.json) and type npm publish (if they're logged into npm). That said, I'm not sure that the real US Core source would have been flagged as a threat...
Eric Prud'hommeaux (Aug 23 2021 at 20:24):
yeah, seems a bit weird, but it's possible i was too quick to assume malfeasance in the issue i filed:
https://simplifier.net/packages/hl7.fhir.us.core/4.0.0 has instructions for installing
hl7.fhir.us.core, which is published on a fhir-specific registry:npm --registry https://packages.simplifier.net install hl7.fhir.us.core@4.0.0
There's an NPM package by the same name which has been replaced with
npm/security-holder, presumably because of some malicious content. Would it be possible to give the controlling account to myself of grahame@hl7.org so we can either replace it with the proper package or with a pointer to simplifier.net ?
Eric Prud'hommeaux (Aug 23 2021 at 20:25):
if they give it to me, i'll briefly go mad with power, then try to figure out to whom to give the keys
Chris Moesel (Aug 23 2021 at 20:26):
Also, we can see, via npm-stats, that people have attempted to download US Core from the npm registry. Not that many people, but _some_.
Grahame Grieve (Aug 23 2021 at 20:30):
the full us core would sure be flagged as a security issue because it would include batch files etc
Eric Prud'hommeaux (Aug 23 2021 at 20:31):
most npm packages have executable (albeit js) scripts
Eric Prud'hommeaux (Aug 23 2021 at 20:31):
hard to see how to stick out in that field
nicola (RIO/SS) (Aug 23 2021 at 20:52):
I think, we should publish our packages to npmjs.com and solve name clashes one by one. Probably, we can contact npm guys and reserve some prefix somehow for hl7
Gino Canessa (Aug 24 2021 at 17:06):
Some of the scripts (e.g., the ones that update the scripts) download from a repo and run that code immediately. That one gets flagged on my desktop too.
Gino Canessa (Aug 24 2021 at 17:09):
Also, it would be nice to establish a convention for signifying the specification package vs. one containing some sort of language tools (e.g., if you wanted to create a package for JS or TS based on US Core, what should that package name look like). I would prefer if the convention works across tools so that we can cross publish (e.g., if we add packages to NuGet and want packages built on the Firely libraries there).
Grahame Grieve (Aug 24 2021 at 18:08):
well, from my pov, that won't start with hl7. since it wouldn't be hl7 publishing it
Gino Canessa (Aug 24 2021 at 18:41):
:face_palm: that works =).
Josh Mandel (Aug 25 2021 at 17:38):
If we ever want to officially publish HL7 packages to (non-HL7-managed) global registries, we'd want to do one or both of:
- Use scoped package names for global registries that support this (e.g.,
@hl7/fhir.us.corefor npm to prevent squatters from asserting control of official HL7 package names) - Use signed packages for global registries that support this (npm doesn't, or rather the public registry signs packages, rather than authors signing them)
nicola (RIO/SS) (Aug 25 2021 at 18:52):
Scoped packages looks a good option
Grahame Grieve (Aug 26 2021 at 02:01):
how does that prevent squatters from asserting control?
nicola (RIO/SS) (Aug 26 2021 at 08:28):
I believe for scoped npm - you will own the scope - https://docs.npmjs.com/about-scopes
Grahame Grieve (Aug 26 2021 at 12:43):
i think that will break all the dependencies
nicola (RIO/SS) (Aug 26 2021 at 23:20):
We do not have to rename and break them - just keep both - scoped on npm official registry + scoped and old on simplifier
New igs will use scoped packages - old will eventually migrate
nicola (RIO/SS) (Aug 26 2021 at 23:23):
btw simplifier registry does not resolve deps properly :( - https://chat.fhir.org/#narrow/stream/179166-implementers/topic/npm.20from.20simpifier.20and.20deps
Grahame Grieve (Sep 16 2021 at 12:10):
so a follow up to this: I have to use github's trademark policy violation process to recover control over hl7 and fhir organizations. It will take some time... (I can't find out who owns them any other way)
John Moehrke (Sep 16 2021 at 12:20):
let me know what I need to know to help IHE
Last updated: Apr 12 2022 at 19:14 UTC
