capabilities
v0.0.3
Published
Secure your Node.js application via capabilities
Downloads
20
Maintainers
Readme
capabilities
is a Node.js package that allows the whitelisting (blacklist by default)
of various functionality, including built-in module access, parent module privacy (hiding
information about the overall application), and behavior auditing.
Capabilities are granted on a per-package basis, allowing packages to 'request' capabilities directly from withing their package.json manifests.
Installation
$ npm install capabilities
Usage
capabilities
should only be used via node -r
. Other forms of inclusion will result in an error.
$ node -r capabilities /path/to/program.js
Caveats
First, some caveats:
- We don't filter syscalls, check file permissions, or containerize anything.
capabilities
is meant to get a handle on the acceptable and expected behaviors of your dependencies - anything else is out of scope. - Preload modules (those included via
node -r
) are not covered bycapabilities
and thus have free reign over the execution context. Be aware of this and make sure you trust what you're loading. - The lack
console.*
capabilities do not cause code to throw if they use the console. The output is instead silently ignored.
Configuration
TODO
Responsible Disclosures
If you have found a security-related bug or vulnerability, please do not open an issue on Github.
Instead, please message @qix on spectrum.chat so we can discuss the details.
License
Copyright © 2018-2019 by Josh Junon. Released under the MIT License.