Virtually every non-trivial program pulls in third-party libraries. As we, as software/security engineers, have no time to carefully review every third-party library (and its dependencies, and transitive dependencies), we implicitly put a lot of trust in these third-party libraries.
This doesn’t always work out well: think of the event-stream incident:
A widely used Node.js code library listed in NPM’s warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question, event-stream, is downloaded roughly two million times a week by application programmers.
If an application can access the filesystem, then the third-party libraries can too, because the filesystem is typically globally available.
It is typically not possible to give restricted access to a third-party library.
Sandboxing doesn’t solve this problem, because if your application has access to the filesystem, all (transitively) dependent packages automatically have access to the filesystem as well.
A solution would be to not make the filesystem globally available, but only in the application’s entry point, and allow a reference to the filesystem to be passed to functions (including ones in third-party libraries) that need it.
This is dependency injection used from a security angle.
This way, a third-party library would only be able to access the filesystem when it is explicitly passed in. A third-party library wouldn’t by default be able to encrypt your hard drive or read your Bitcoin wallet.
This could be made more fine-grained: rather than injecting a reference to the entire filesystem, a reference to a directory or to a specific file could be injected. This way, a third-party library could be granted limited access to exactly what it needs to operate properly.
Francisco, Thomas Claburn in San. n.d. “Check Your Repos… Crypto-Coin-Stealing Code Sneaks into Fairly Popular NPM Lib (2m Downloads per Week).” Accessed March 7, 2021. https://www.theregister.com/2018/11/26/npm_repo_bitcoin_stealer/.
“Npm Blog Archive: Details about the Event-Stream Incident.” n.d. Accessed March 7, 2021. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident.
Miller, Mark Samuel. n.d. “Towards a Unified Approach to Access Control and Concurrency Control,” 229.
Pombrio, Justin. n.d. “Preventing Log4j with Capabilities.” Accessed December 27, 2021. https://justinpombrio.net/2021/12/26/preventing-log4j-with-capabilities.html.