Remote code execution in cdnjs of Cloudflare

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • Scout APM - Less time debugging, more time building
  • OPS - Build and Run Open Source Unikernels
  • SonarLint - Deliver Cleaner and Safer Code - Right in Your IDE of Choice!
  • packages

    📦 Package configurations - The #1 free and open source CDN built to make life easier for developers. (by cdnjs)

    You can make a request to have it added on our GitHub repository."

    Amusingly you can see the "hey-sven" library they added to test the fix: https://github.com/cdnjs/packages/pull/695

    If you download the tarball directly, https://registry.npmjs.org/hey-sven/-/hey-sven-1.0.2.tgz, then tar -ztvf hey-sven-1.0.2.tgz, you can see

    -rw-r--r-- 0 ryotak staff 204 Jun 2 16:21 package/package.json

    -rw-r--r-- 0 ryotak wheel 10 Jun 2 16:21 ../../../../../../../../../../tmp/ryotak

    -rw-r--r-- 0 ryotak wheel 10 Jun 2 16:22 ../../../../../../../../../../tmp/ryotak.sh

  • cdnjs

    🤖 CDN assets - The #1 free and open source CDN built to make life easier for developers.

    I was curious if the offending commit is still there but I didn't see anything that looked like it: https://github.com/cdnjs/cdnjs/commits/master?after=6901ec10...

    That commit log should give you a better sense of what happened if you (like me) didn't understand how cdnjs works. Apparently robocdnjs will just pull arbitrary packages and unzip and commit them into the cdnjs repo which then gets served all over the internet. Crazy!

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • cjdns

    An encrypted IPv6 network using public-key cryptography for address allocation and a distributed hash table for routing.

    I was really excited for a moment, because I thought this was cjdns https://github.com/cjdelisle/cjdns.

  • go

    The Go programming language

    This exact thing is being discussed https://github.com/golang/go/issues/25849 here. Maybe take a look

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts