GHSA-hg3w-7f8c-63hp
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
상세
### Summary
A malicious `codeload.github.com` server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile.
### Details
The lockfile does not store the hash of the dependencies from https://codeload.github.com
This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies.
### PoC
```sh > pnpm -v 10.28.2 ```
Given the following package.json:
```json { "dependencies": { "add": "git://github.com/dsherret/npm-git-dep.git#b3eeb9b" } } ```
This produces a lockfile like so:
```yaml lockfileVersion: '9.0'
settings: autoInstallPeers: true excludeLinksFromLockfile: false
importers:
.: dependencies: add: specifier: git://github.com/dsherret/npm-git-dep.git#b3eeb9b version: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b
packages:
add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b: resolution: {tarball: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b} version: 1.0.0
snapshots:
add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b: {} ```
Notice that there is no hash. The `b3eeb9b` is not sufficient because I can configure my machine to resolve a compromised tarball from that url (I tested it out and pnpm just installs it).
### Impact
Anyone relying on github git dependencies.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.