Are you trusting open source blindly? Then you're in for a world of hurt!

Published on 2021-02-10.

So, you normally do pip install foo, or composer install foo, or npm install foo, or perhaps go get foo, and you never read the source code of the package you just pulled down? Well guess what, that's one (almost) sure way to blow up your project!

Pulling down open source code as a dependency without ever reading the code and verifying that it doesn't contain any backdoors or other malicious content has become one of the easiest ways to introduce malicious content into a code base.

All you have to do is this:

  1. Fix some code and create a pull request.
  2. Fix some more code, perhaps add a new feature, and create more pull requests.
  3. Upstream "rewards" you with commit access.
  4. Keep a low profile for a while longer.
  5. Make a few mistake to check how fast "mistakes" are discovered.
  6. Create some malicious code disguised as a bug, an honest programming mistake.
  7. Repeat.

Of course you cannot validate every single line of code in every open source projects you might use, but I cannot fathom how just about everyone today are completely and blindly trusting every package out there. This is a madness and level of ignorance and naivety in the software industry not previously seen.

In the past many honest mistakes were made, and many systems were not originally programmed with security in mind. But as the industry has progressed and matured, many efforts have been made on many different levels and fronts to improve security, yet for some reason, with the improved access to online cooperation, this has been almost completely set back to a status even worth than in the beginning.

Another different subject, yet just as relevant, is how people keep making popular third party packages "hard" dependencies for their own code base. This is a mistake that very easily can blow up your code base completely, just like this for example: https://github.com/pyca/cryptography/issues/5771

My point with this minor "rant" is that you need to carefully consider what packages you pull down. Don't just trust a project because it is open source. The idea that open source has many eyes watching is a myth. Nobody wants to read other peoples code, so very rarely does anyone do that.

Remember the Heartbleed bug?

If your code base is important, make sure (as much as possible) that you can trust the code you pull down as a dependency. Read as much of the third party code as possible, create diffs when changes are made, and investigate and understand how the project handles security. If you don't, you're only asking for trouble.