Feedback on David Bruant's Contained Node Modules


#1

David Bruant has a great writeup on an MVP for safe modules, specifically for Node.js and the CommonJS module system. He is looking for feedback and says:

I believe this writing to be complementary of Safe JavaScript Modules in the sense that i see Safe JavaScript Modules as the description of a module system that enables finest-grained POLA. Meanwhile, i see my writing more as a first step of a product development/deployment strategy in this direction.

My focus with this writing is to find a concrete lowest-cost first step to significantly increase security for Node.js apps. I think what i describe is such a result.

I hope that deploying this first work would already highten the bar for attacks to the ecosystem (maybe to the point they become impractical for a long time). I anticipate also this would also be the occasion to learn a lot about the state of current npm packages. Learning that might be useful to assess how much work would be needed to apply to good level of POLA to the current npm package ecosystem

I am looking for feedback in a couple of areas:

  • how much less work can be done to build something that still would increase security?

  • if what is written was widely deployed, would it be in the way of the finest-grained vision?


#2

I have concerns about the integrity of these package.json files. If the application does not have a well known integrity for all of these it could lead to fs mutation attacks like those we saw inside of event-stream. It seems like authority enforcement mechanisms need guaranteed integrity to be listed ahead of executing code for any security measure to be feasible.