brfs
brfs copied to clipboard
How do I restrict directory traversal?
brfs works great! I'm trying to use it in a CGI to re-invent browserify-as-a-service, but for this, it works too good. Suppose this snoop.js
sneaks into one of my dependencies:
'use strict';
var fs = require('fs');
module.exports = {
powerState: fs.readFileSync('/sys/power/state', 'utf8'),
powerWakeupCount: fs.readFileSync('/sys/power/wakeup_count', 'utf8'),
installedDisks: fs.readdirSync('/dev/disk/by-id'),
ip4Devices: fs.readdirSync('/proc/sys/net/ipv4/conf'),
htpasswd: fs.readFileSync(__dirname + '/../../.git/.htpasswd', 'utf8'),
};
With just brfs snoop.js
, it results in
'use strict';
module.exports = {
powerState: "freeze mem disk\n",
powerWakeupCount: "8\n",
installedDisks: ["ata-██MODEL██-██SERIAL██","ata-██MODEL██-██SERIAL██-part1","███[…]███"],
ip4Devices: ["all","default","eth█","lo","wlan█","█████","████"],
htpasswd: "# (fake logins, dont worry)\n# hax0r: notme\nhax0r:{SHA}30DQVTTQQ1u0WhIi1JAaDnqYDSc=\n# test: 321tset\ntest:{SHA}3s2ffDekAGYsJC59av3IisVQ3Is=\n",
};
So is there an easy way to specify a chroot-like path so that brfs will only read files within that path?
Update: Feature creep:
- array of whitelisted chdir paths
- custom decider function (or is this the tr.on(file) event?)