Suspicious file
-
@julian, @baris and @psychobunny, should there be a file named public-suffix.txt in an installation of NodeBB, under the /usr/lib/node_modules/npm/node_modules/request/node_modules/tough-cookie/ directory?
Is there even a directory named tough-cookie in an installation of NodeBB?
-
Hey @planner -- the path of the file suggests that
tough-cookieis Node.js module that is a dependency ofrequest, which is globally installed.In fact, the path you pasted isn't even a NodeBB directory... so possibly could be an issue with the
tough-cookiepackage. -
Nope... and it's not part of NodeBB either (although we use it in our hosting platform, which is completely separate).
At some point, it looks like you ran
sudo npm install -g request. That's why that package is installed in/usr/lib/node_modules -
No, I didn't install anything like that. What has me worried is the content of the public-suffix.txt in particular and all the files and directories under the tough-cookie directory. The GitHub page for that project is at https://github.com/goinstant/tough-cookie.
Is that legit?
-
Looks like a legit module.
-
To be fair, request is actually a dependency of npm.
https://github.com/npm/npm/blob/master/package.json#L75 -
Not being a Node guru and not knowing what the contents of that file should be, I had to check. Does it make any sense for that file (public-suffix.txt ) to contain a listing of more websites than I ever come across in one file?
I did check out the company behind it and they seem legit, but I still had to satisfy my paranoid self.
-
@planner it's probably this file from their repo: https://github.com/goinstant/tough-cookie/blob/master/public-suffix.txt
So all should be good.
