doc: clarify policy expectations #48947
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,11 +33,18 @@ If you find a potential security vulnerability, please refer to our | |
|
|
||
| Node.js contains experimental support for creating policies on loading code. | ||
|
|
||
| Policies are a security feature intended to ensure the integrity | ||
| of the loaded code. | ||
|
|
||
| The use of policies assumes safe practices for the policy | ||
| files such as ensuring that policy files cannot be overwritten by the Node.js | ||
| application by using file permissions. | ||
|
|
||
| While it does not function as a provenance mechanism to trace the origin of | ||
| code, it serves as a robust defense against the execution of malicious code. | ||
| Unlike runtime-based models that may restrict capabilities once the code is | ||
| loaded, Node.js policies focus on preventing malicious code from ever being | ||
| fully loaded into the application in the first place. | ||
|
|
||
| A best practice would be to ensure that the policy manifest is read-only for | ||
| the running Node.js application and that the file cannot be changed | ||
|
|
@@ -202,12 +209,6 @@ the manifest and then immediately used without searching. | |
| Any specifier string for which resolution is attempted and that is not listed in | ||
| the dependencies results in an error according to the policy. | ||
|
|
||
| A boolean value of `true` for the dependencies map can be specified to allow a | ||
| module to load any specifier without redirection. This can be useful for local | ||
| development and may have some valid usage in production, but should be used | ||
|
|
@@ -224,6 +225,9 @@ can be used to ensure some kinds of dynamic access are explicitly prevented. | |
| Unknown values for the resolved module location cause failures but are | ||
| not guaranteed to be forward compatible. | ||
|
|
||
| All the guarantees for policy redirection are specified in the | ||
| [Guarantees](#guarantees) section. | ||
|
|
||
| ##### Example: Patched dependency | ||
|
|
||
| Redirected dependencies can provide attenuated or modified functionality as fits | ||
|
|
@@ -446,6 +450,16 @@ not adopt the origin of the `blob:` URL. | |
| Additionally, import maps only work on `import` so it may be desirable to add a | ||
| `"import"` condition to all dependency mappings. | ||
|
|
||
| #### Guarantees | ||
|
|
||
| * The policies guarantee the file integrity when a module is loaded using | ||
| `require()` or `import()`. | ||
| * Redirection does not prevent access to APIs through means such as direct | ||
| access to `require.cache` or through `module.constructor` which allow access to | ||
| loading modules. Policy redirection only affects specifiers to `require()` and | ||
| `import`. Other means, such as to prevent undesired access to APIs through | ||
| variables, are necessary to lock down that path of loading modules. | ||
|
Member
There was a problem hiding this comment.
So this probably shouldn't be listed. The intent is to prevent loading new code without going through another module. Since
Maybe we should state that it is expected that the approval of module integrity in policies' threat model implies they are allowed to muck with and even circumvent security features once loaded so environmental/runtime hardening is expected (this is true for other things like http as well anyway so not uncommon, but a callout might be good). Tools to do static analysis can aid here from linting to full blown security tools.
Member
There was a problem hiding this comment. @RafaelGSS it looks a lot better, though
Member
Author
There was a problem hiding this comment. So I think we should list the API calls allowed when using
What do you think? Any other suggestions to make it clear? |
||
|
|
||
| ## Process-based permissions | ||
|
|
||
| ### Permission Model | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.