Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cdxgen secure image - WIP #1600

Merged
merged 1 commit into from
Jan 26, 2025
Merged

cdxgen secure image - WIP #1600

merged 1 commit into from
Jan 26, 2025

Conversation

prabhu
Copy link
Collaborator

@prabhu prabhu commented Jan 26, 2025

Beginning of a cdxgen image flavor with built-in support for node.js permissions api.

@prabhu
Copy link
Collaborator Author

prabhu commented Jan 26, 2025

Node.js permissions api is quite basic.

process.permission.has("fs.read", "*") is always true even if the argument passed was not "*"

Consider the below code snippet for index.js

console.log("Read *", process.permission.has("fs.read", "*"));
console.log("Write *", process.permission.has("fs.write", "*"));

Correct output:

node --permission --allow-fs-read=index.js index.js
Read * false
Write * false

Incorrect output:

Passing * as references is interpreted as any.

node --permission --allow-fs-read="*.js" index.js
Read * true
Write * false

Recommendation to Node.js devs

Support glob patterns in both cli args and for references argument in the has api call.

scope attributes is limited.

There is no process.permission.has("addons") yet.

Recommendation to Node.js devs

All permission-related cli args should have an api for checking.

@prabhu
Copy link
Collaborator Author

prabhu commented Jan 26, 2025
edited
Loading

Todo:

Need to experiment with a cdxgen-runner script, that invokes cdxgen.js with a dynamically generated NODE_OPTIONS value.

Example:

node bin/cdxgen-secure.js could do spawnSync with the environment variable NODE_OPTIONS=--permission --allow-fs-read=<input dir> --allow-fs-write=<path to bom>. Presence of sdkman, nvm, etc would make the logic a bit complex but not impossible.

@prabhu
Secure mode WIP
db5ecc1 
Signed-off-by: Prabhu Subramanian <[email protected]>
@prabhu prabhu force-pushed the feature/node-permission-feature branch from de3965c to db5ecc1 Compare January 26, 2025 17:56
@prabhu prabhu merged commit 2d07991 into master Jan 26, 2025
17 of 24 checks passed
@prabhu prabhu deleted the feature/node-permission-feature branch January 26, 2025 18:25
prabhu
prabhu commented Jan 28, 2025
View reviewed changes
bin/cdxgen.js
@@ -141,6 +148,7 @@ const args = yargs(hideBin(process.argv))
})
.option("fail-on-error", {
type: "boolean",
default: !isSecureMode,
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a mistake. This made fail-on-error the default for everyone. Apologies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
mode:container security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@prabhu