-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node should log denied path by permission restriction #49080
Comments
This is the path that was denied. |
That's what i thought first, but then something like this should work (which it doesn't): node --experimental-permission --allow-fs-read=./index.js index.js
node --experimental-permission --allow-fs-read=index.js index.js Response:
|
https://nodejs.org/dist/latest-v20.x/docs/api/permissions.html#limitations-and-known-issues
On Unix you could do:
|
@targos Thanks, i will try it out tomorrow. |
/cc @RafaelGSS Btw, it seems we have no label for permission-related issues, nor a GH team. |
I got it to work fine with the following: node --experimental-permission --allow-fs-read=$(realpath ./index.js),$(realpath ./node_modules) index.js The program i'm running is using a fake malicious NPM package, which still could:
So my question is if there will be HTTP request block + whitelisting of URLs? My fake malicious NPM package tried to start a local tunnel via spawn, and this was blocked which is good. This is what the code looked like in the fake malicious NPM package function spawnHelper(command, args, onData) {
return new Promise((resolve, reject) => {
try {
const commandResponse = spawn(command, args);
commandResponse.stdout.on("data", (data) => {
onData(data.toString());
});
commandResponse.stderr.on("data", (data) => {
onData(data.toString());
});
commandResponse.on("error", (error) => {
onData(error.toString());
reject(error);
});
} catch (error) {
onData(error.toString());
}
});
} And executed via:
Thanks |
Those are good points, and make me think about other features that could be useful:
|
I'm working on it. For reference see: nodejs/security-wg#898.
Those are definitely good points, would you mind sharing them in the issue above so we can discuss and find a good approach to make it happen? Anyway, I'm closing this issue since the initial question was addressed. |
What is the problem this feature will solve?
Description
Running the following:
// index.js console.log("Hello, world!")
Generates:
The problem
The problem with the above error is that the only way for me to make the error go away is to add
--allow-fs-read
which i don't want to do as it would make my app more vulnerable.The solution
The solution is to print what path that was denied so that i can explicitly allow that path
v20.5.0
What is the feature you are proposing to solve the problem?
The same command should generate (similar to Deno):
What alternatives have you considered?
No response
The text was updated successfully, but these errors were encountered: