It does include notes for every change introduced in v2 (there aren't many changes from v1)

Author here. You are correct about everything. I appreciate that you took the time to write this.

The only exception is that, honestly, I'm not very familiar with the topic. I did try to mock the typical pseudo-tutorial articles, but I don't claim that I can do any better.

In all fairness, the previous versions didn't post correctly; they were never visible (you can verify this). I think it was an issue caused by the temporary outage yesterday.

Author here, you are correct.

I guess I was trying to express the "saudade" of finding a new topic but not having the time to learn it properly.

It was entertaining.

Thanks!

Great article!

So, let me see if I get this straight...

cdnjs is a CDN for javascript libraries. cdnjs has a "library update server", in which an "auto-update script" runs periodically to update the libraries that the CDN offers. If it finds a new version of a library, it downloads the files from the library's git repository, and it publishes them on the CDN.

There can be symlinks in git repositories, but the "auto-update script" doesn't handle them correctly. And that's the core of the vulnerability.

If you own the git repository of a library published by cdnjs, you could add a symlink to the git repository. The symlink could point to a file that you want to access on the cdnjs "library update server". Then, as soon as the "auto-update script" runs, the file's contents will be public to everyone on the CDN.

But how would you manage to create a malicious library and have it approved by cdnjs? That's the part of the exploit that sounds the hardest, and I don't see a reasonable way to go about it.

> But how would you manage to create a malicious library and have it approved by cdnjs? That's the part of the exploit that sounds the hardest, and I don't see a reasonable way to go about it.

1. Hijack an existing library to publish the malicious version

2. or, Have us approve what looks like a legitimate library, which later publishes a malicious version

> 1. Hijack an existing library

Hijack or buy outright an existing library. IIRC, there have been many such instances where existing projects have been sold for large sums to questionable parties.

As I understand it. Every library in npm registry (they library you can install using npm) are also automatically approved ( which sounds reasonable you don't want to approve every library by hand).

And that's what the author exploits by registering a library that have a symlink in it. Which then got excuted.