Is there a way to limit the access on certain nodejs module?

[hansyulian]

Recently i found a post in linkedin regarding code challenge scam: https://www.linkedin.com/posts/franco-aguilera-2583685a_the-code-challenge-scam-they-tried-to-hack-activity-7270114822950703107-K3DW?utm_source=share&utm_medium=member_desktop

So i am wondering whether we can have some kind of limited behaviour of the fs by default? for example:

• i want to limit the fs to only able to access the folder where i start the nodejs from.
• i want to limit the fs to only access D:\Sources.....
  or something similar

Maybe we need to take a look also on some other module such as http request module that maybe need to be limited as well

[XxAlonexX]

You can create a custom wrapper around the fs module to restrict access to specific directories

const fs = require('fs');
const path = require('path');

const BASE_DIR = path.resolve('D:/Sources'); // Allowed base directory

function safeJoin(base, target) {
  const targetPath = path.resolve(base, target);
  if (!targetPath.startsWith(base)) {
    throw new Error('Access denied: Outside allowed directory');
  }
  return targetPath;
}

// fs.readFile wrapper
function readFileSafe(filePath, options, callback) {
  const safePath = safeJoin(BASE_DIR, filePath);
  return fs.readFile(safePath, options, callback);
}

readFileSafe('example.txt', 'utf8', (err, data) => {
  if (err) console.error(err);
  else console.log(data);
});

This is the easiest way i know about and did some digging also got to know about the library memfs you can look for that too buddy

[hansyulian]

hey, i dont think you understand the context nor read the scam issue yet...

so i will summarize things:

- a scammer contact you pretend to be a recruiter
- they give you code challenge with some hidden spy code in the challenge
- the code will scan your pc and try to steal anything possible

So it needs to be in the configuration of the NodeJS itself instead of some code. This can be in any form, either plain internal code or external library as well. If possible we need to have some kind of NodeJS global config to prevent access of certain module for certain project.

I am imagine if we try to run a code that seems to be just a normal HTTP server, but then when we run it we will get some kind of warning before the real code itself run:

This code is trying to use some security sensitive packages in the following files: 
fs:
     some-code-1.ts
     some-code-2.ts 
 http.request:
     some-code-3.ts
     some-code-4.ts
some-sensitive-package:
     some-code-3.ts
     some-code-4.ts
......

please check if the usage is really intended and grant access of these packages by adding the following lines to ~/.node_grant for the packages:
fs: ~/my-path // or some kind of format
http.request: ~/my-path // or some kind of format

since you are trying to do a code challenge and you would only expect http.createServer, then this one shouldn't be needed