node-security

node-security copied to clipboard

Security checks can be completely bypassed by a malicious script

12

First off, I started looking at this repository because it's gaining traction. I'm also posting this _here_ since there are no listed dependents on npm (yet). I want to put...

Qix-

Getting following error when importing package: `const nodesecurity = require('@matthaywardwebdesign/node-security');` ``` [0] ERROR in ./node_modules/@matthaywardwebdesign/node-security/dist/ModuleLoader.js [0] Module not found: Error: Can't resolve 'module' in 'C:\Users\Dev\Source\Repos\TTM\app\node_modules\@matthaywardwebdesign\node-security\dist' [0] @ ./node_modules/@matthaywardwebdesign/node-security/dist/ModuleLoader.js 9:14-31 [0]...

AMerkuri

jakebolam

Security check bypass through the pollution of the prototype of object

1

I would like to second the concern of Qix in regards to the approach of sandboxing without creating a new JavaScript context. One of the issue that arises when sharing...

HoLyVieR

Explicitly state minimum node version supported

1

I'm not sure of the lowest version of node this project supports May be able to tweak this in the babelrc too

jakebolam

Add better ESM/loader support?

1

Is there any way to block this since `esm` itself will be loading the files which means `esm` needs access to `fs`. `index.js` ```js /* Import and create a new...

OmgImAlexis

Permissions should not roll down to sub dependencies

1

Looking through the code it does look like permissions given to a module roll-down to it's child dependencies. This is a terrible idea, as it will fail your security test...

asleepysamurai