Skip to content

Sandbox env and global security concerns #96

Description

@yogevlahyani

I plan on using this package to allow all users to develop their plugins and run it within my machine and I have some security concerns, so I'm testing my own using Nexus.

Using sandbox custom env works, but when I install an npm package that uses require('process'), the package can access the environment variables.

const manager = new PluginManager({
    sandbox: {
        env: {},
    },
});

console.log(process.env) // {}

const { env } = require('process'); // or node:process
console.log(env) // all environment variables are being logged

Another concern of mine is the global object, I believe it contains some unnecessary functions and sensitive data, the sandbox option is not well-documented as far as I saw but I wonder what can I do to minimize the security risks involved in using this package and let users run unsafe code within my machine.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions