Node js plugin permissions - node.js

I create a web server with Sails.js, and want to allow third dev to create node.js plugins installable from a web page (store).
My problem is I don't want this plugin to require sails (or other critical modules) and have access to database and services and do what they want.
For example using fs and delete all files.
How can I do that ? I have no idea if node.js can lock some scripts on this own directory

I don't think that node expose some sandboxing functionality so when you load a js code into node that code can do what it want.
From your description yours plugins are more like browser javascript code so I think that you can use a headless browser to execute your code and retrieve the result. I've never tried it by myself but it should work. You just have to figure out how to pass parameters to plugin and get the result, also performance will be very bad because the headless browser is quite heavy. Try looking at
http://phantomjs.org/
Another solution is to run the plugins directly inside node but sanitizing the code before running. There are some projects like:
http://gf3.github.io/sandbox/
https://github.com/asvd/jailed
They can help you limiting the powers of the plugins.
Anyway are you sure about it ? in any major CMS platform that I've seen (wordpress, joomla, drupal, liferay ...) the platform's author trusts plugins authors and plugins can always do what they want.

Related

How do I deploy a GWT website without Google App Engine? Is it possible to use GitHub Pages?

The Issue
Hi, I made a GWT (Google Web Toolkit) website, but now that I am done, I'm not sure how to host the website.
The code is only client-side, so I'm not sure where the problem is.
I would be grateful for any advice on where and how to host a GWT website.
Here's the GWT app on GitHub: https://github.com/aryanka15/GWTCledgeTextParser
My attempt to use GitHub Pages: https://github.com/aryanka15/aryanka15.github.io
What I tried:
I tried using GitHub Pages, but it doesn't work, for some reason the JS file is not recognized by browsers or something like that.
The build Java with Ant Github Action doesn't work either.
I also tried using Google App Engine, but it is a very complicated process that I couldn't get working, and I would like to avoid it if possible.
Also, I used VSCode to develop the application, if that helps. I think that many of the Google App Engine plugins for IDE's like Eclipse are deprecated, but let me know if I'm wrong.
Thank you!
Nvm, I wasn't being very smart. I just had to change the html to index.html, make necessary adjustments in the js files, and added all the files inside war to GitHub with the same file structure.

Bazel nodejs liveserver

I've been going through the documentation at https://bazelbuild.github.io/rules_nodejs/ in order to put together a small web based application. I've got babel building the JS code, and http_server serving it, and ibazel watching it, and everything is working as expected: when I make a change, ibazel notices it and restarts the http_server rule.
The next thing I wanted to look at is getting autoreload in the browser so that the browser would automatically refresh when the change was compiled. My understanding is that this requires the http server to not be killed by ibazel, but instead to stay up and trigger a refresh via the ibazel_live_reload mechanism. I believe that http_server doesn't support this, but ts_devserver is explicitly mentioned in several places. However, ts_devserver doesn't seem to be maintained anymore (although I did find a devserver EXE in the npm package, there isn't a bazel rule that I saw to use it).
Is there a third party live development server that supports the ibazel reload mechanism - or am I missing something completely obvious?
Disclosure, I'm a core maintainer on rules_nodejs
As of rules_nodejs v3.0.0, ts_devserver has been renamed to concatjs_devserver to try and better namespace it (it has little to nothing really to do with Typescript). Its docs can be found here.
Note though that the concatjs_devserver comes with some compatibility gotchas, all dependencies have to be in named AMD/UMD or goog.module format for example, and may be tricky to use unless following the rest of the google3 toolchain.
We've (as the maintainers of rules_nodejs) tried not to wrap an existing devserver and publish it as of yet for various reasons, but it's something that has come up in discussion. I'm currently investigating some options in this space.
I'm not aware of any published devservers that currently support the ibazel protocol, there is a wrap of browsersync in the Angular Components repo which you may find useful.

Single executable for React App and Express API

I have a React App and a Express API. I want to package those two components into one single executable. Is there a way to do this? I don’t want a solution to my problem I want a hint into the right direction if this is possible.
I believe what you mean is not to keep the bundler running as well as the express server, unfortunately that's not possible if you're in developer mode (and) you're expecting realtime updates in your browser, but if you were in production, then it's not even the case that you need to run your bundler, cause your main.bundle.js is already built and ready.
I think this is what you are looking for. https://electronjs.org/
Electron or similar libraries help you to create an executable application which can be installed an run like a desktop application.
The only point you have to keep in mind is for accessing the database you will have to create a REST API and communicate via that.
Link for a simple tutorial.

electron/muon: require not defined in renderer

I'm currently working on an IPFS/Ethereum dapp in Muon.
Because i need Metamask i started with this Boilerplate: https://github.com/SwapyNetwork/electron-metamask-boilerplate
Everything is working fine so far.
However i can not use require('anything') in the renderer process or in html script tags. (See below)
There seems to be a problem with the boilerplate code but i can't find it.
Or is node code in renderer not supported in Muon?
My only change in testing is setting node-integration explicitly to true and
inserting require('fs') in index.js. (i installed fs of course).
I tried many different solutions from stackoverflow and other sites but couldn't find a solution yet.
Error Message
Thank you
As per the muon's github repo:
Some of Muons goals include:
Use the Chromium source directly (eliminating electron's copy of chrome_src) with minor patches
make integrating chrome components less painful
faster and more streamlined end-to-end build process (see browser-laptop-bootstrap).
add support for Chrome extensions
add security focused features for the renderer:
remove node completely (from the renderer process)
full sandbox
scriptable window.opener support
As you can see there, muon does not supports node code in the rendered. It is by design for security purpose. Muon may be great for certain applications, but I recommend switching on to electron if you really need to use require in the renderer.

Using NodeJS module in Titanium Studio

All, I am trying to using third party NodeJS SDK in Titanium Studio. However, I consistently encounter dependency issues, such as util.js, utils.js, ms.js, events.js etc. I tried to add the missing module manually, but it looks like it will become un-tractable as there are so many dependencies.
My questions are :
1. Is that possible to use NodeJS based SDK in Titanium Studio .
2. If so, what is the right approach to include the dependencies.
Thanks a lot!
Titanium can't get Coffee scripts to work natively (assuming you want to deploy the TitaniumWrapper.coffee). A possible solution you may want to try is hooking a plugin http://billdawson.com/titanium_coffee_script/ in order to pre-compile Coffee scripts.
You can also try to embed everything using a Tiwebview that wraps HTML to load mojio-js.js but you would still need to observe events mojio client (like replacing keys, login an user and create a few model instances).
Hope you find the info useful and can serve for further research.

Resources