From 2ca31a10ac8e5ee828e5672546f2f7bccb681e91 Mon Sep 17 00:00:00 2001
From: Durran Jordan <durran@gmail.com>
Date: Tue, 10 Oct 2017 14:18:35 -0400
Subject: [PATCH] COMPASS-2164: Restrict 3rd party access to resources

---
 src/app/setup-plugin-manager.js | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/app/setup-plugin-manager.js b/src/app/setup-plugin-manager.js
index 880f6c149e3..c28e22e2f27 100644
--- a/src/app/setup-plugin-manager.js
+++ b/src/app/setup-plugin-manager.js
@@ -44,6 +44,35 @@ app.pluginManager = new PluginManager(
   DISTRIBUTION.plugins
 );
 
+/**
+ * Security related items before moving them to security plugin, phase 1.
+ */
+const Module = require('module');
+const loader = Module._load;
+
+/**
+ * The require error message.
+ */
+const ERROR = 'Due to security reasons, 3rd party plugins are not allowed to require ' +
+  'modules with filesystem, network, or child process access.';
+
+/**
+ * List of modules that cannot be required.
+ */
+const ILLEGAL_MODULES = ['fs', 'net', 'tls', 'child_process'];
+
+/**
+ * Prevent loading of fs, net, tls, and child process for 3rd party plugins.
+ */
+Module._load = function(request, loc) {
+  if (ILLEGAL_MODULES.includes(request)) {
+    if (loc.filename.includes(DEV_PLUGINS)) {
+      throw new Error(ERROR);
+    }
+  }
+  return loader.apply(this, arguments);
+};
+
 app.pluginManager.activate(app.appRegistry);
 
 debug(`Plugin manager activated with distribution ${process.env.HADRON_DISTRIBUTION}.`);