capabilities is a Node.js package that allows the whitelisting (blacklist by default) of various functionality, including built-in module access, parent module privacy (hiding information about the overall application), and behavior auditing.

Capabilities are granted on a per-package basis, allowing packages to 'request' capabilities directly from withing their package.json manifests.

Installation

$ npm install capabilities

Usage

capabilities should only be used via node -r. Other forms of inclusion will result in an error.

$ node -r capabilities /path/to/program.js

Caveats

First, some caveats:

• We don't filter syscalls, check file permissions, or containerize anything. capabilities is meant to get a handle on the acceptable and expected behaviors of your dependencies - anything else is out of scope.
• Preload modules (those included via node -r) are not covered by capabilities and thus have free reign over the execution context. Be aware of this and make sure you trust what you're loading.
• The lack console.* capabilities do not cause code to throw if they use the console. The output is instead silently ignored.

Configuration

TODO

Responsible Disclosures

If you have found a security-related bug or vulnerability, please do not open an issue on Github.

Instead, please message @qix on spectrum.chat so we can discuss the details.

License

Copyright © 2018-2019 by Josh Junon. Released under the MIT License.