[Security] How to securely use plugins?

[hexnickk4997]

Hey 👋

As far as I understand, the only way to add a plugin is to run yarn plugin import <name> as stated in https://yarnpkg.com/cli/plugin/import, which creates plugin folder and adds there huge minified .cjs file.

The issue is that this file is completely unverifiable, e.g. if developer's machine got somehow malwared, then this malware can inject any piece of code into this cjs file during install or update and no one will be able to manually spot, since code is minified.

Is it possible to somehow install plugins during yarn install or somehow verify checksum against published plugin version via yarn itself?

Basically this is the similar issue to #4138, but previous one was resolved by corepack, thanks for that effort 🙏

Attempted solution 1

Btw it would be possible to add installation to postinstall and hide plugins folder via .gitignore, but plugin installation adds entry to .yarnrc.yml, so it's not that simple :(

plugins:
  - path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
    spec: "@yarnpkg/plugin-interactive-tools"

Attempted solution 2

Also tried to use @yarnpkg/plugin-interactive-tools via require, but it looks like it's just impossible, I wasn't able to make it run.

[hexnickk4997]

Hey, @arcanis can you take a look? 🙏 🙏 🙏

[hexnickk4997]

Can someone take a look here? Still haven't figured it out

[jj811208]

As far as I know this is not completely unobservable, because the plugin folder should be controlled by git, so if we accidentally change it, then git should point out that the file has been modified, unless it was injected with malicious code before the first commit.

(I may have misunderstood something)

[hexnickk4997]

@jj811208 that's absolutely correct, but the issue is that during the plugin update, this minified JS file will be heavily changed, so it's almost impossible for a reviewer to spot an injected code, especially if it's obfuscated. Also, in some cases, GitHub doesn't even show these changes in minified files, which makes things even worse :(

[jj811208]

I just had a discussion with a yarnpkg member about plugin checksums.

This PR may solve your question, although it's not finished yet, but you can follow it

#4912

[hexnickk4997]

I just had a discussion with a yarnpkg member about plugin checksums.

This PR may solve your question, although it's not finished yet, but you can follow it

#4912

Looks awesome, thanks! We actually will be able to add .yarn/plugins to gitignore and just fetch it on each install, this should be a nice workaround