node-security icon indicating copy to clipboard operation
node-security copied to clipboard

Add better ESM/loader support?

Open OmgImAlexis opened this issue 7 years ago • 1 comments

Is there any way to block this since esm itself will be loading the files which means esm needs access to fs.

index.js

/* Import and create a new instance of NodeSecurity */
const nodesecurity = require('@matthaywardwebdesign/node-security');
const NodeSecurity = new nodesecurity();

/* Configure NodeSecurity */
NodeSecurity.configure({
    core: {
        /* Define global fs access */
        fs: false,
        /* Enable other core modules we'll need */
        stream: true,
        util: true,
        path: true,
        os: {
            /* Deny access to OS arch */
            arch: false,
        },
        assert: true
    },
    module: {
        /* Allow fs-extra to access fs */
        'fs-extra': {
            fs: true,
        },
        esm: {
            module: true,
            fs: true,
            vm: true,
            crypto: true,
            punycode: true,
            url: true,
            timers: true
        }
    }
});

const require_ = require('esm')(module);
require_('./main');

main.js

import fs from 'fs';

console.log({fs});

If I change main.js to this we can see it is still working even with imports.

import os from 'os';

console.log({ arch: os.arch()});
➜  security_esm node index.js
file:///Users/xo/security_esm/node_modules/@matthaywardwebdesign/node-security/dist/plugins/NodeSecurityPlugin.js:1
Error: Attempt to access os.arch was blocked
    at Proxy.module.(anonymous function) (file:///Users/xo/security_esm/node_modules/@matthaywardwebdesign/node-security/dist/plugins/NodeSecurityPlugin.js:18:13)
    at Object.<anonymous> (file:///Users/xo/security_esm/main.js:4:32)
    at Generator.next (<anonymous>)

OmgImAlexis avatar Dec 29 '18 22:12 OmgImAlexis

Thanks for leaving an issue @OmgImAlexis 👍

I believe this one might be resolved by the fix I'm going to implement as a result of issue #1. When implemented the permissions would only apply to the esm module itself, not any of the modules it requires.

Does this solve your issue?

matthaywardwebdesign avatar Dec 29 '18 23:12 matthaywardwebdesign