I plan on using this package to allow all users to develop their plugins and run it within my machine and I have some security concerns, so I'm testing my own using Nexus.
Using sandbox custom env works, but when I install an npm package that uses require('process'), the package can access the environment variables.
const manager = new PluginManager({
sandbox: {
env: {},
},
});
console.log(process.env) // {}
const { env } = require('process'); // or node:process
console.log(env) // all environment variables are being logged
Another concern of mine is the global object, I believe it contains some unnecessary functions and sensitive data, the sandbox option is not well-documented as far as I saw but I wonder what can I do to minimize the security risks involved in using this package and let users run unsafe code within my machine.
I plan on using this package to allow all users to develop their plugins and run it within my machine and I have some security concerns, so I'm testing my own using Nexus.
Using sandbox custom env works, but when I install an npm package that uses
require('process'), the package can access the environment variables.Another concern of mine is the global object, I believe it contains some unnecessary functions and sensitive data, the sandbox option is not well-documented as far as I saw but I wonder what can I do to minimize the security risks involved in using this package and let users run unsafe code within my machine.