With everything that's been going on with npm lately, it got me thinking about what happens if a malicious package made its way into npm. There are a number of DoS-type things a malicious package could do, such as randomly crashing the server or eating up CPU and memory. However, from a security perspective the worst thing a package can do involves collecting data and sending it back to a server somewhere.With that in mind, what's the simplest way of controlling the outbound connections of a Node process? Ideally I'd like to be able to say that this process should only be making connections to myhost.net and anything else should be blocked.I've thought about ways to do it in JS code itself--such as how the nock library completely alters the http behavior. But if it can be done in code then it could surely be undone in code by a malicious package as well. A fool-proof solution would have to be built into Node's underlying net stack itself.I also know there are dozens of way to do this at the OS level, and perhaps that's the correct answer. I'm curious if anyone has other solutions.
Submitted March 30, 2016 at 02:31PM by MrDrego
No comments:
Post a Comment