I'm a complete Node noob, so I apologize if this question has an obvious answer.
I'm looking to create a web app that will run plugins from untrusted sources (i.e. community submissions). So I need to lock down those plugins into a sandbox where only certain access is allowed (can't write to disk, etc.). Ideally, the plugin would only be able to use certain approved node packages and APIs.
Is this possible in Node? If so, can you point me toward a package or documentation that will get me started?
Here is a small list of projects that can help you:
https://github.com/gf3/sandbox
https://github.com/hflw/node-sandbox
https://github.com/bcoe/sandcastle
https://github.com/wearefractal/boxy
I suggest the first one (sandbox) since it's more mature.
I would also contribute to the list with my library: https://github.com/asvd/jailed. In addition to the sandboxing of the untrusted code (in a restricted subprocess), it gives an opportunity to export any set of functions inside the sandbox thus defining a custom API for the sandboxed code.
Related
I want to create a workflow automation where an activity comes in and user can setup a multilevel workflow.
For frontend i am using https://reactflow.dev
How to structure things in nodejs backend. Things like database, accessing control flow statements, statements which requires crons.
You also may want to have a look at node-red.
It's an open-source product that does exactly that.
There's a set of built-in nodes.
You can develop your own nodes, or import 3rd party ones. Which are stored in NPM.
You can also just create a node with javascript or typescript code in it, on the fly.
You should check Flumejs: https://flume.dev/
https://flume.dev/docs/quick-start/
Also you should see this code sandbox example. Try to read the code
and all the dependencies: https://codesandbox.io/s/node-based-code-generation-test-forked-ll9flz?file=/src/App.tsx
I hope you find this helpful.
I am developing opensouce project with a huge pile of dependencies, and I find Puppet a perfect tool for my requirements.
However, my target audience is not necessarily experienced with Puppet. To the point they may not be even know how web servers work. So I would like to ask the user to “run this in terminal” for the simplest case, but if the user also wants to configure some parts of my software, he would have to learn puppet. And educating them Puppet defeats the “servers for dummies” purpose of my project.
Basically, dare I say, I need Unity from the deployment world.
The thing I came up with, is to use ‘json’ as a backend for Puppet, and then write some GUI tool that would generate/modify that json using JSON Schema. Of couse, this thing will be optional and experient Puppet usets could still just use my module as is.
The questiond is, am I doing it right? Is there a solution for my problem?
Thanks in advance.
You can use Hieradata to give the ability to users to configure some parts for your "Software". you can put your hiera configuration in a git repository or build a tool to edit & update this hiera configuration.
There is some tools that you can use in order to make more easier for your users like Foreman and Puppetboard
But I think it's mandatory for your users to have a basic knowledge of Puppet so they can debug or manipulate the software.
These are some things that you can use.
Have a look at these:-
https://puphpet.com/
https://github.com/voxpupuli/puppetboard
In traditional model, when program does dynamic linking of shared library, than - as one of side effects - it, usually does not have to care about updates, as when new version (let's say with security or performance fix) comes, it's updated (by some kind of package manager on some Uhix or sth equivalent on Windows), and application can benefit on next run from new version.
In such process, application maintainer does not have to perform any steps, in order for his/her users to benefit from new , fixed library.
How does it work in Native Client?
Are those libraries packed in package, so developer has to repackage every time new version of library comes,
or is there some mechanism, either to benefit from some way or sharing libraries, or getting this package repacked automatically (for example by Chrome Web Store) ?
I've eye-balled:
Distributing Your Application
Building
Application Structure
and couldn't find answer. (It does not mean it's not there, I could miss sth).
Based on my experience with NaCl, your app is responsible for updating any libraries it depends on, as those libraries are necessarily distributed with your NaCl application. The exception would be any libraries/APIs that the browser provides to the application, which would be updated along with the browser.
It turns out, there night be a way of structuring application, so app can download new shared libraries via some bootstrap executable and than run, desired one with freshly downloaded shared libraries:
http://developer.chrome.com/native-client/devguide/devcycle/dynamic-loading (please note
that it's different page than this one earlier mentioned )
search for "libreverse.so" example.
Anyhow, if you have better structured answer and/or more detailed, please let know.
first things first , i have seen nwsnapshot. and its not helping.
i am building an inventory management system as a desktop app using node-webkit . the project being built is using compoundjs (mvc javascript library). which have a definite folder structure (you know mvc) and multiple javascript files inside them.
the problem is nwsnapshot allows the app to have only a single snapshot file but the logic of application is spread over all the folders in different javascript files.
so how do i secure my source code before shipping it to client? Or any other work-around Or smarter way (yes, i know about obfuscating).
You can use nodewebkit command called nwsnapshot to compile the javascript code into binary which will be loaded into the app without specifying any js file
nwsnapshot --extra-code application.js application.bin
in your package.json add this:
snapshot: 'application.bin'
It really depends on what you mean by "secure".
You can obfuscate your javascript code fairly well (as well as potentially improve performance) by using the Google Closure Compiler.
I'm not aware of any off-the-shelf solutions to encrypt/decrypt your javascript, and honestly I would question the need for that.
Some people think they need to make it impossible to view their source code, because they're used to dealing with compiled languages where you only ship binaries to users. The fact is, reverse-engineering that binary code was never as difficult as some people think it is, so if there's any financial incentive, there is practically no difference between shipping source code and the traditional shipping of binaries.
Some languages have offered genuine encryption of deployed assets, such as Microsoft's SLPS. It seems to me that the market for this was so small that Microsoft gave it to a partner (just my view). The truth is that most customers are not interested in taking your source code; they're far more interested in your ability to service and support that code in an efficient manner, while they get on with their job.
You may consider to merge the JS files into one in the build process and compile it.
I want to build a Chrome Extension for the Developer Tools that watches for changes a given folder and refreshes/updates the CSS/JS/image files in the browser.
There is a similar approach already:
http://tin.cr
Tin.cr uses NPAPI which is not sandboxed and has some security issues, so I can't use it in some dev environments where company polices have strict rules (specially in the financial industry).
Another approach is to use NaCl (Chrome's Native Client, which is sandboxed).
I am a front-end dev, with little knowledge in C, so I need some help, please.
How can I watch/monitor file changes in libuv? If someone could provide a code snippet I would greatly appreciate it.
From what I understand from the docs, libuv would allow the extension to work cross-platform, am I wrong?
Thanks
NaCl doesn't have an API to watch changes in a given folder on disk. Can you use Google Drive? Google Drive has an API for getting list of changed files: https://developers.google.com/drive/v2/reference/changes/list.