├── .gitignore ├── test ├── seed_node_modules │ ├── fake-module │ │ └── package.json │ └── fake-module-2 │ │ └── package.json └── cli.spec.js ├── cli.js ├── package.json ├── LICENSE ├── index.js └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | -------------------------------------------------------------------------------- /test/seed_node_modules/fake-module/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "fake-module", 3 | "version": "1.0.0", 4 | "scripts": { 5 | "postinstall": "node malicious.js" 6 | } 7 | } -------------------------------------------------------------------------------- /test/seed_node_modules/fake-module-2/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "fake-module-2", 3 | "version": "1.0.0", 4 | "scripts": { 5 | "dev": "nodemon app.js" 6 | } 7 | } -------------------------------------------------------------------------------- /cli.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | 'use strict'; 3 | 4 | const { walkModules } = require('./index'); 5 | 6 | const args = process.argv.slice(2); 7 | const path = args[0]; 8 | 9 | walkModules(path); 10 | -------------------------------------------------------------------------------- /test/cli.spec.js: -------------------------------------------------------------------------------- 1 | const execa = require('execa'); 2 | 3 | describe('CLI', () => { 4 | 5 | test('should identify modules with postinstall scripts', async() => { 6 | const {stdout} = await execa('./cli.js', ['./test/seed_node_modules']); 7 | expect(stdout).toContain('Potentially unsafe scripts found. These should be reviewed for safety'); 8 | expect(stdout).toContain('Module name: fake-module Type: postinstall'); 9 | }); 10 | 11 | test('should not identify clean modules', async() => { 12 | const {stdout} = await execa('./cli.js', ['./test/seed_node_modules']); 13 | expect(stdout).toContain('Potentially unsafe scripts found. These should be reviewed for safety'); 14 | expect(stdout).not.toContain('fake-module-2'); 15 | }); 16 | 17 | }); 18 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "npm-viewscripts", 3 | "version": "1.0.1", 4 | "bin": { 5 | "npm-viewscripts": "cli.js" 6 | }, 7 | "main": "index.js", 8 | "description": "View which npm dependencies in a project are using npm scripts", 9 | "scripts": { 10 | "test": "jest test/cli.spec.js" 11 | }, 12 | "repository": { 13 | "type": "git", 14 | "url": "git+https://js-kyle@github.com/js-kyle/npm-viewscripts.git" 15 | }, 16 | "author": "Kyle Martin", 17 | "license": "MIT", 18 | "bugs": { 19 | "url": "https://github.com/js-kyle/npm-viewscripts/issues" 20 | }, 21 | "keywords": [ 22 | "npm", 23 | "security", 24 | "audit", 25 | "postinstall", 26 | "preinstall", 27 | "postuninstall", 28 | "ignore-scripts" 29 | ], 30 | "homepage": "https://github.com/js-kyle/npm-viewscripts#readme", 31 | "dependencies": { 32 | "directory-tree": "^2.3.1" 33 | }, 34 | "preferGlobal": true, 35 | "devDependencies": { 36 | "execa": "^2.1.0", 37 | "jest": "^24.9.0" 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Kyle Martin 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | const dirTree = require('directory-tree'); 2 | const fs = require('fs'); 3 | 4 | const scriptTypes = ['preinstall', 'postinstall', 'preuninstall', 'postuninstall']; 5 | const reports = []; 6 | 7 | const walkModules = ((path = 'node_modules') => { 8 | 9 | dirTree(path, {extensions:/\.json$/}, (item) => { 10 | 11 | if (item.name === 'package.json') { 12 | let pkg = JSON.parse(fs.readFileSync(item.path, 'utf8')); 13 | if (!pkg.scripts) return; 14 | let scripts = Object.keys(pkg.scripts); 15 | scripts.forEach((script) => { 16 | if (scriptTypes.includes(script)) { 17 | reports.push({name: pkg.name, script: script}) 18 | } 19 | }); 20 | 21 | } 22 | 23 | }); 24 | 25 | }); 26 | 27 | process.on('exit', () => { 28 | if (!reports.length) { 29 | console.log('No potentially unsafe scripts found.'); 30 | } else { 31 | console.log('\x1b[31m', 'Potentially unsafe scripts found. These should be reviewed for safety', '\x1b[0m'); 32 | reports.forEach((report) => { 33 | console.log(`Module name: ${report.name} Type: ${report.script}`); 34 | }); 35 | } 36 | 37 | }); 38 | 39 | module.exports = { walkModules }; 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 |

3 |
4 | npm-viewscripts 5 |
6 |

7 | 8 |

Identify potentially malicious npm scripts in a project.

9 |

10 | GitHub 11 | NPM 12 |

13 | 14 | 15 | ## Overview 16 | 17 | This project is a Node.js CLI tool to identify which of a project's existing dependencies are utilising npm lifecycle scripts, which _could_ be malicious. 18 | 19 | The currently configured npm scripts the tool will identify are: 20 | `preinstall`, `postintall`, `preuninstall`, `postuninstall` 21 | 22 | **Note: This project is to educate, so should not be used as a complete npm security solution.** 23 | 24 | ## Installation 25 | 26 | ``` 27 | # install globally, using npm 28 | $ npm install npm-viewscripts -g 29 | 30 | # Run the cli on a project 31 | $ cd my-node-project 32 | $ npm install 33 | $ npm-viewscripts 34 | ``` 35 | 36 | ## Usage 37 | 38 | ``` 39 | $ npm-viewscripts 40 | 41 | Usage 42 | $ npm-viewscripts [path] 43 | 44 | Options 45 | path Modules folder [Default: node_modules] 46 | ``` 47 | 48 | ## Understanding the result 49 | Positive report example: 50 | ``` 51 | Potentially unsafe scripts found. These should be reviewed for safety 52 | Module name: monorepo-symlink-test Type: postinstall 53 | ``` 54 | The above output informs us that the `monorepo-symlink-test` is running a `postinstall` script, so we should review that, and ensure that it is safe. 55 | 56 | Negative report example: 57 | ``` 58 | No potentially unsafe scripts found. 59 | ``` 60 | No modules in the project are _currently_ using scripts which could be used maliciously. 61 | 62 | 63 | --------------------------------------------------------------------------------