[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

 ❦  1 septembre 2015 21:10 +0200, Didier 'OdyX' Raboud <odyx@debian.org> :

> I think we should take a strong move there and exercise (as well as 
> justify to the outer world) our free software right to recompile the 
> software that we ship to our users: this could mean to only merge & gzip 
> JS files if minifying isn't realistic [3]. Not doing so _is_ going to 
> hurt our ability to exercise our freedoms in the future, it's also 
> making a disservice to our users.

It seems this thread shed too much tears and is too much focused on
minification. The minification step is usually easy. We have
yui-compressor (that nobody uses upstream, hence the small risk of using
it) and uglifyjs (but a version vulnerable to the attack at the origin
of this thread). What's difficult is to get the code to be modified from
the original source. There are two difficulties:

 1. Upstream may not ship this source but only the minified version
    because the JS code is just a dependency and some upstream are used
    to just ship the minified source. We can recover the original code
    from another source but there is a risk that this is not really the
    original code because many JS projects have a modular build (jQuery,
    modernizr, ...). This is what Raphael is explaining for Wordpress (I

 2. Upstream may generate the final pre-minification file with complex
    tools, like an AMD loader or an ES6/ES5 transpiler, along with the
    use of non-packaged build tools like Grunt.

Unfortunately, I don't have an immediate solution for the first
problem. For the second one, a solution would be to consider the
pre-minification JS code to be perfectly valid source code
(indentations, comments, variable names, everything is here).
Don't compare floating point numbers just for equality.
            - The Elements of Programming Style (Kernighan & Plauger)

Attachment: signature.asc
Description: PGP signature

Reply to: