Skip to content

Commit

Permalink
initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@JamesKyburz
JamesKyburz committed Jun 14, 2019
0 parents commit 6cfe0da
Show file tree
Hide file tree
Showing 20 changed files with 761 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .gitignore
@@ -0,0 +1,4 @@
node_modules
.DS_Store
npm-debug.log
.nyc_output
6 changes: 6 additions & 0 deletions .travis.yml
@@ -0,0 +1,6 @@
sudo: false
language: node_js
node_js:
- "10"
script:
- npm t
11 changes: 11 additions & 0 deletions package.json
@@ -0,0 +1,11 @@
{
"name": "mono-rep",
"scripts": {
"test": "npx macleod exec npm t"
},
"repository": {
"type": "git",
"url": "git://github.com/JamesKyburz/racon"
},
"private": true
}
404 changes: 404 additions & 0 deletions packages/env/LICENSE

Large diffs are not rendered by default.

26 changes: 26 additions & 0 deletions packages/env/README.md
@@ -0,0 +1,26 @@
# racon-env

Resource Access Control for `process.env`

[![js-standard-style](https://img.shields.io/badge/code_style-standard-brightgreen.svg)](https://github.com/feross/standard)
[![build status](https://api.travis-ci.org/JamesKyburz/racon-env.svg)](https://travis-ci.org/JamesKyburz/racon-env)
[![downloads](https://img.shields.io/npm/dm/aws-lambda-http-server.svg)](https://npmjs.org/package/racon-env)
[![Greenkeeper badge](https://badges.greenkeeper.io/JamesKyburz/racon-env.svg)](https://greenkeeper.io/)

## usage

```javascript
require('racon-env')({
'aws-sdk': {
read: [
/^AWS/,
'HOME',
/^AMAZON/
]
}
})
```

# license

[Apache License, Version 2.0](LICENSE)
5 changes: 5 additions & 0 deletions packages/env/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 27 additions & 0 deletions packages/env/package.json
@@ -0,0 +1,27 @@
{
"name": "racon-env",
"version": "0.0.1",
"description": "permissions for process.env",
"keywords": [
"process.env",
"security",
"secrets",
"resource",
"access",
"control"
],
"main": "src/index.js",
"repository": {
"type": "git",
"url": "git://github.com/JamesKyburz/racon"
},
"dependencies": {},
"devDependencies": {},
"files": [
"src"
],
"scripts": {
"test": "cd tests && npm i && npm t"
},
"license": "Apache-2.0"
}
53 changes: 53 additions & 0 deletions packages/env/src/index.js
@@ -0,0 +1,53 @@
'strict on'

const env = process.env
const exit = process.exit

module.exports = (whitelist = {}) => {
process.env = new Proxy(env, {
get (obj, prop) {
if (isAllowed(whitelist, prop, 'read')) {
return obj[prop]
} else {
return ''
}
},
set (obj, prop, value) {
if (isAllowed(whitelist, prop, 'write')) {
obj[prop] = value
}
}
})
}

function captureModule () {
const { stack } = new Error()
const frames = (stack || '').split(/\n/)

for (const frame of frames) {
if (frame.includes(__filename)) continue
if (/\/node_modules\//.test(frame)) {
return frame.split(/\/node_modules\//)[1].split(/\//)[0]
}
}
}

function isAllowed (whitelist, prop, type) {
const module = captureModule()
const policy = (whitelist[module] || { [type]: [] })[type] || []
const allowed =
!module ||
policy === '*' ||
policy.includes(prop) ||
policy.filter(x => x instanceof RegExp).find(x => x.test(prop))
if (!allowed) {
try {
process.stdout.write(
`\n${module} does not have ${type} access to process.env.${prop}\n`
)
} catch (e) {}
exit(1)
} else {
return true
}
}
1 change: 1 addition & 0 deletions packages/env/tests/.npmrc
@@ -0,0 +1 @@
package-lock=false
1 change: 1 addition & 0 deletions packages/env/tests/module-1/.npmrc
@@ -0,0 +1 @@
package-lock=false
1 change: 1 addition & 0 deletions packages/env/tests/module-1/index.js
@@ -0,0 +1 @@
module.exports = () => process.env.SECRET
Binary file added packages/env/tests/module-1/module-1-0.0.1.tgz
Binary file not shown.
6 changes: 6 additions & 0 deletions packages/env/tests/module-1/package.json
@@ -0,0 +1,6 @@
{
"name": "module-1",
"version": "0.0.1",
"private": true,
"main": "index.js"
}
1 change: 1 addition & 0 deletions packages/env/tests/module-2/.npmrc
@@ -0,0 +1 @@
package-lock=false
4 changes: 4 additions & 0 deletions packages/env/tests/module-2/index.js
@@ -0,0 +1,4 @@
module.exports = () => new Promise((resolve, reject) => {
process.env.DEBUG = 'yes'
resolve()
})
Binary file added packages/env/tests/module-2/module-2-0.0.1.tgz
Binary file not shown.
6 changes: 6 additions & 0 deletions packages/env/tests/module-2/package.json
@@ -0,0 +1,6 @@
{
"name": "module-2",
"version": "0.0.1",
"private": true,
"main": "index.js"
}
15 changes: 15 additions & 0 deletions packages/env/tests/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions packages/env/tests/package.json
@@ -0,0 +1,13 @@
{
"name": "tests",
"private": true,
"scripts": {
"preinstsall": "(cd module-1 && npm pack); (cd module-2 && npm pack); (cd module-3 && npm pack)",
"test": "./test.sh"
},
"dependencies": {
"module-1": "file:module-1/module-1-0.0.1.tgz",
"module-2": "file:module-2/module-2-0.0.1.tgz"
},
"devDependencies": {}
}
177 changes: 177 additions & 0 deletions packages/env/tests/test.sh
@@ -0,0 +1,177 @@
#!/usr/bin/env bash

set +e

node -e """
require('../')()
require('module-1')()
""" &> /dev/null

if [[ $? -ne 1 ]]; then
echo "❌ module-1 should not have read access to process.env.SECRET."
exit 1
else
echo "✅ module-1 could not read process.env.SECRET when no policy was specified."
fi

echo

node -e """
require('../')({
'module-1': {
read: ['SECRET']
}
})
require('module-1')()
""" &> /dev/null

if [[ $? -ne 0 ]]; then
echo "❌ module-1 should have read access to process.env.SECRET."
exit 1
else
echo "✅ module-1 was allowed to read process.env.SECRET when it's policy allows process.env.SECRET only."
fi

echo

node -e """
require('../')({
'module-1': {
read: [/sdaasdasd/]
}
})
require('module-1')()
""" &> /dev/null

if [[ $? -ne 1 ]]; then
echo "❌ module-1 should not have read access to process.env.SECRET."
exit 1
else
echo "✅ module-1 could not read process.env.SECRET when no policy had no matching expression."
fi

echo

node -e """
require('../')({
'module-1': {
read: '*'
}
})
require('module-1')()
""" &> /dev/null

if [[ $? -ne 0 ]]; then
echo "❌ module-1 should have read access to process.env.SECRET."
exit 1
else
echo "✅ module-1 was allowed to read process.env.SECRET when it's policy allows *."
fi

echo

node -e """
require('../')({
'module-1': {
read: [/^sec..t/i]
}
})
require('module-1')()
""" &> /dev/null

if [[ $? -ne 0 ]]; then
echo "❌ module-1 should have read access to process.env.SECRET."
exit 1
else
echo "✅ module-1 was allowed to read process.env.SECRET when policy allows a matching regular expression."
fi

echo

node -e """
require('../')()
require('module-2')()
""" &> /dev/null

if [[ $? -ne 1 ]]; then
echo "❌ module-2 should not have write access to process.env.DEBUG."
exit 1
else
echo "✅ module-2 could not write to process.env.DEBUG when no policy was specified."
fi

echo

node -e """
require('../')({
'module-2': {
write: ['DEBUG']
}
})
require('module-2')()
""" &> /dev/null

if [[ $? -ne 0 ]]; then
echo "❌ module-2 should have write access to process.env.DEBUG."
exit 1
else
echo "✅ module-2 was allowed to write to process.env.DEBUG when it's policy allows process.env.DEBUG only."
fi

echo

node -e """
require('../')({
'module-2': {
write: [/sdaasdasd/]
}
})
require('module-2')()
""" &> /dev/null

if [[ $? -ne 1 ]]; then
echo "❌ module-2 should not have write access to process.env.DEBUG."
exit 1
else
echo "✅ module-2 could not write to process.env.DEBUG when no policy had no matching expression."
fi

echo

node -e """
require('../')({
'module-2': {
write: '*'
}
})
require('module-2')()
""" &> /dev/null

if [[ $? -ne 0 ]]; then
echo "❌ module-2 should have write access to process.env.DEBUG."
exit 1
else
echo "✅ module-2 was allowed to write to process.env.DEBUG when it's policy allows *."
fi

echo

node -e """
require('../')({
'module-2': {
write: [/^debu.$/i]
}
})
require('module-2')()
""" &> /dev/null

if [[ $? -ne 0 ]]; then
echo "❌ module-2 should have write access to process.env.DEBUG."
exit 1
else
echo "✅ module-2 was allowed to write to process.env.DEBUG when policy allows a matching regular expression."
fi

echo

echo "✅ all tests passed."

0 comments on commit 6cfe0da

Please sign in to comment.