All the vulnerabilities related to the version 3.0.0 of the package
pnpm incorrectly parses tar archives relative to specification
It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives.
The TAR format is an append-only archive format, and as such, the specification for how to update a file is to add a new record to the end with the updated version of the file. This means that it is completely valid for an archive to contain multiple copies of, say, package.json, and the expected behavior when extracting is that all versions other than the last get ignored.
This is further complicated by that during tarball extraction, all package managers are configured to drop the first path component, so collisions can be created simply by using multiple root folders in the archive, even without performing updates.
When pnpm extracts a tar archive via tar-stream, it appears to extract only the first file of a given name and discards all subsequent files with the same name.
Create a root folder with the following layout:
a/package.jsonpackage/package.jsonz/package.jsonFile contents:
{
"name": "test-package",
"version": "0.1.0",
"description": "This is a bad version of a test package",
"dependencies": {
"react": "^15"
}
}
{
"name": "test-package",
"version": "0.1.0",
"description": "This is a bad version of a test package",
"dependencies": {
"react": "^16"
}
}
{
"name": "test-package",
"version": "0.1.0",
"description": "This is the good version of a test package",
"dependencies": {
"react": "^17"
}
}
Then use the tar binary to produce a tarball (working directory is the root folder):
tar -c -z --format ustar -f package.tgz a package z
The order of the folders at the end matters; whichever one is last will end up being the package.json that wins when extracted by npm; the one that is first will be the one that wins when extracted by pnpm.
Install the tarball via the file: protocol.
Observe that with npm, the lockfile has react@17, while with pnpm it has react@15.
This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm.
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
The path shortening function is used in pnpm:
export function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string {
let filename = depPathToFilenameUnescaped(depPath).replace(/[\\/:*?"<>|]/g, '+')
if (filename.includes('(')) {
filename = filename
.replace(/\)$/, '')
.replace(/(\)\()|\(|\)/g, '_')
}
if (filename.length > maxLengthWithoutHash || filename !== filename.toLowerCase() && !filename.startsWith('file+')) {
return `${filename.substring(0, maxLengthWithoutHash - 27)}_${createBase32Hash(filename)}`
}
return filename
}
However, it uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to.
In the diagram, we assume that two packages are called packageA and packageB, and that the first 90 digits of their package names must be the same, and that the hash value of the package names with versions must be the same. Then C is the package that they both reference, but with a different version number. (npm allows package names up to 214 bytes, so constructing such a collision package name is obvious.)
Then hash(packageA@1.2.3)=hash(packageB@3.4.5). This results in the same path for the installation, and thus under the same directory. Although the package names under node_modoules are the full paths again, they are shared with C. What is the exact version number of C? In our local tests, it depends on which one is installed later. If packageB is installed later, the C version number will change to 2.0.0. At this time, although package A requires the C@1.0.0 version, package. json will only work during installation, and will not affect the actual operation. We did not receive any installation error issues from pnpm during our local testing, nor did we use force, which is clearly a case that can be triggered.
For a package with a package name + version number longer than 120, another package can be constructed to introduce an indirect reference to a lower version, such as one with some known vulnerability. Alternatively, it is possible to construct two packages with more than 120 package names + version numbers. This is clearly an advantage for those intent on carrying out supply chain attacks.
The solution: The repair cost is also very low, just need to upgrade the md5 function to sha256.
pnpm no-script global cache poisoning via overrides / ignore-scripts evasion
pnpm seems to mishandle overrides and global cache:
This can make workspace A (even running with ignore-scripts=true) posion global cache and execute scripts in workspace B
Users generally expect ignore-scripts to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).
Here, that expectation is broken
See PoC.
In it, overrides from a single run of A get leaked into e.g. ~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json and persistently affect all other projects using the cache
Postinstall code used in PoC is benign and can be inspected in https://www.npmjs.com/package/ponyhooves?activeTab=code, it's just a console.log
rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store
This step is not required in general, but we'll be using a popular package for PoC that's likely cachedA/package.json:
{
"name": "A",
"pnpm": { "overrides": { "rimraf>glob": "npm:ponyhooves@1" } },
"dependencies": { "rimraf": "6.0.1" }
}
pnpm i --ignore-scripts (the flag is not required, but the point of the demo is to show that it doesn't help)B/package.json:
{
"name": "B",
"dependencies": { "rimraf": "6.0.1" }
}
pnpm iResult:
Packages: +3
+++
Progress: resolved 3, reused 3, downloaded 0, added 3, done
node_modules/.pnpm/ponyhooves@1.0.1/node_modules/ponyhooves: Running postinstall script, done in 51ms
dependencies:
+ rimraf 6.0.1
Done in 1.4s
Also, that code got leaked into another project and it's lockfile now!
Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs
As a work-around, use separate cache and store dirs in each workspace