Skip to content

Add better ESM/loader support? #2

@OmgImAlexis

Description

@OmgImAlexis

Is there any way to block this since esm itself will be loading the files which means esm needs access to fs.

index.js

/* Import and create a new instance of NodeSecurity */
const nodesecurity = require('@matthaywardwebdesign/node-security');
const NodeSecurity = new nodesecurity();

/* Configure NodeSecurity */
NodeSecurity.configure({
    core: {
        /* Define global fs access */
        fs: false,
        /* Enable other core modules we'll need */
        stream: true,
        util: true,
        path: true,
        os: {
            /* Deny access to OS arch */
            arch: false,
        },
        assert: true
    },
    module: {
        /* Allow fs-extra to access fs */
        'fs-extra': {
            fs: true,
        },
        esm: {
            module: true,
            fs: true,
            vm: true,
            crypto: true,
            punycode: true,
            url: true,
            timers: true
        }
    }
});

const require_ = require('esm')(module);
require_('./main');

main.js

import fs from 'fs';

console.log({fs});

If I change main.js to this we can see it is still working even with imports.

import os from 'os';

console.log({ arch: os.arch()});
  security_esm node index.js
file:///Users/xo/security_esm/node_modules/@matthaywardwebdesign/node-security/dist/plugins/NodeSecurityPlugin.js:1
Error: Attempt to access os.arch was blocked
    at Proxy.module.(anonymous function) (file:///Users/xo/security_esm/node_modules/@matthaywardwebdesign/node-security/dist/plugins/NodeSecurityPlugin.js:18:13)
    at Object.<anonymous> (file:///Users/xo/security_esm/main.js:4:32)
    at Generator.next (<anonymous>)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions