3.1 KiB
Cloudflare forked just-bash and they really, really should not have
Sunil and I talked on the phone about this. He's sorry that he didn't ping me before publishing. I'm sorry that I didn't ping him before posting. It's all good.
My colleague noticed yesterday that Cloudflare forked just-bash and published it as @cloudflare/shell. Now, this is completely in their rights to do. Just-bash is published under Apache 2.0 and everybody can do with the source as they please under the permissive license. That said, it is worth having a conversation as to whether you should fork an open-source project and when you should not.
I think there is something like open-source "etiquette" and "community-spirit" where forks are kind of a last resort. Because, by default, it is better to make the shared thing better than only getting your changes in. As far as I know, there have been no attempts by Cloudflare to contribute to just-bash and I'm the sole maintainer, so I should know.
On top of this, projects are in different states. If I have a super stable half-abandoned project, then a fork can be very sustainable: I do the change I need and few changes from upstream are ever expected to need to land in my fork.
Don't fork things before they are stable
This is where it comes to why forking just-bash is such a bad idea at this stage. Just-bash is not that. It's new, under heavy-development, and to some extent exploring the frontier of the category of "sandbox-ish thing for agents". The security model is evolving and the code base as to evolve accordingly.
Cloudflare's fork removed the disclaimer that this is a beta project and it removed several reference in the README for optional features that present additional security surface.
This is particularly egregious because Cloudflare replace the python3 implementation with one that will immediately get you owned. They document to use pyodide which, by default, allows the python program full access to the JS host environment.
Just-bash used to use pyodide, but it tried to use it in a secure way. Cloudflare removed the security relevant code entirely 🤯. Additionally, just-bash migrated away because pyodide really cannot be made secure under just-bash's threat model, but this likely happened after Cloudflare's fork. Again, don't fork early projects.
Defense-in-depth layers got removed
Just-bash has several defense-in-depth layers that introduce additional defenses against host break out. Cloudflare either forked before they got introduced or simply deleted them.
For example, just-bash has DefenseInDepthBox which deactivates eval, the function constructor, and other ways to eval code in JS while just-bash is executing. Cloudflare's own Worker system does not need this part but they advertise as cross-platform and Node.js, and Deno very much need this. Additionally, this also prevents access to global objects that lay leak secrets, WASM and other dangerous APIs which are very much available in Workers. Again, this is just gone.
Just-bash also ships with deep checks that prevent code patterns which are prone to prototype pollution which is the most worrying vector for host-escape