I want to let users create custom plugins for one of my apps Programmed in Node JS.
I thought of using some method similar than dynamic libraries, but using Node Modules. The problem is don't want the users to be able to do harmful things like making inappropriate use of the network or accessing the file system.
Is there any way you can limit the NODE Native API for an specific module?
On
I doubt there is any real defense if you grant someone code execution level access to your server. At the best, you will be in an arms race trying to plug holes as they are discovered.
If you want to allow customers to expand the functionality of your product, you should probably just develop an API for the customer products to interface with. This way, there is a limited attack surface area and you can control all the access points to your application.
On
One of the solutions would be to recompile node without unwanted API calls.
Another way to achieve this is to monkey patch unwanted calls and unwanted modules after the process starts.
> var fs = require("fs");
> fs.openSync("/etc/passwd", 0);
12
> fs.openSync = function(){}
> var fs = require("fs");
> fs.openSync("/etc/passwd", 0);
'Not allowed'
You have to also monkey patch in the same way require.reload and think about how else this can be circumvented.
I realice how to do this: the trick is using the with operator.
For example you can limit the access to some APIs in a browser using: