Cloudflare, Inc. is an American web infrastructure and website security company that provides content delivery network services, DDoS mitigation, Internet security, and distributed domain name server services.
Cloudflare, which runs cdnjs, is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform vulnerability assessments. This article describes vulnerabilities reported through this program and published with the permission of the Cloudflare security team. So this article is not intended to recommend you to perform an unauthorized vulnerability assessment. If you found any vulnerabilities in Cloudflare’s product, please report it to Cloudflare’s vulnerability disclosure program.
I found out that the library information is managed on the GitHub repository, so I checked the repositories of the GitHub Organization that is used by cdnjs. As a result, it was found that the repository is used in the following ways.
- cdnjs/packages: Stores library information that is supported in cdnjs
- cdnjs/cdnjs: Stores files of libraries
- cdnjs/logs: Stores update logs of libraries
- cdnjs/SRIs: Stores SRI (Subresource Integrity) of libraries
- cdnjs/static-website: Source code of cdnjs.com
- cdnjs/origin-worker: Cloudflare Worker for origin of cdnjs.cloudflare.com
- cdnjs/tools: cdnjs management tools
- cdnjs/bot-ansible: Ansible repository of the cdnjs library update server
As you can see from these repositories, most of the cdnjs infrastructure is centralized in this GitHub Organization.
I was interested in cdnjs/bot-ansible and cdnjs/tools because it automates library updates. After reading codes of these 2 repositories, it turned out cdnjs/bot-ansible executes
autoupdate command of cdnjs/tools in the cdnjs library update server periodically, to check updates of library from cdnjs/packages by downloading npm package / Git repository.