		@@ -28,3 +28,3 @@ /*
		pathCombinations = [];


		arrayedPaths = commands.map(function(thisCommand) {
		@@ -67,34 +67,13 @@ return paths.map(function(thisPath) {
		function permissionDenied(name, originalMethod) {

		return function () {

		var toCheckCommands = [],
		found = false,
		i = 0;

		// command could be in arguments[0] in case of exec
		// or arguments[1][1] in case of execFile for node v0.10
		toCheckCommands.push(arguments[0].split(/\s+/)[0]);
		if (arguments.length >= 2 && arguments[1][1]) {
		toCheckCommands.push(arguments[1][1].split(/\s+/)[0]);
		var command = arguments[0].split(/\s+/)[0];
		if (arguments.length >= 2 && arguments[1][1] && path.basename(command) === 'sh') {
		//for node0.10 & node0.12, arguments[0] is /bin/sh and arguments[1][1] has the actual command
		command = arguments[1][1].split(/\s+/)[0];
		}

		for (i = 0; i < toCheckCommands.length; i++) {
		if (isAbsolutePath(toCheckCommands[i])) {
		if (whitelist.commandPaths.indexOf(toCheckCommands[i]) >= 0) {
		found = true;
		break;
		}
		} else {
		//relative path
		if (whitelist.commands.indexOf(path.basename(toCheckCommands[i])) >= 0) {
		found = true;
		break;
		}
		}
		}
		if (found) {
		if ((isAbsolutePath(command) && whitelist.commandPaths.indexOf(command) >= 0)
		\|\| (!isAbsolutePath(command) && whitelist.commands.indexOf(path.basename(command)) >= 0)) {
		return originalMethod.apply(this, arguments);
		} else {
		throw new Error("Function call " + name + "() is prohibited in this environment.");
		throw new Error("Function call " + command + " is prohibited in this environment.");
		}
		@@ -113,3 +92,3 @@ };
		};


		}
		@@ -132,6 +111,6 @@ /*
		//_linkedBinding is defined from v0.12
		restrictBinding('_linkedBinding', process._linkedBinding);
		restrictBinding('_linkedBinding', process._linkedBinding);
		}



		// For each of the methods in child_process
		@@ -138,0 +117,0 @@ // Verify if command is in whitelist

package.json

		{
		"name": "restrict",
		"description": "Restricts applications from calling certain methods on process and all methods on child_process",
		"version": "0.0.8",
		"version": "0.0.9",
		"author": "Rohini Harendra <rohini.raghav@gmail.com>",
		"repository": {
		"type": "git",
		"url": "https://github.com/yahoo/restrict.git"
		"type": "git",
		"url": "https://github.com/yahoo/restrict.git"
		},
		"bugs": {
		"url" : "http://github.com/yahoo/restrict/issues"
		"url": "http://github.com/yahoo/restrict/issues"
		},
		"keywords": [
		"restrict", "yahoo"
		"restrict",
		"yahoo"
		],
		"licenses":[
		{
		"type" : "BSD",
		"url" : "https://github.com/yahoo/restrict/blob/master/LICENSE"
		}
		],
		"engines": { "node": ">=0.6" },
		"dependencies": {
		"licenses": [
		{
		"type": "BSD",
		"url": "https://github.com/yahoo/restrict/blob/master/LICENSE"
		}
		],
		"engines": {
		"node": ">=0.6"
		},
		"dependencies": {},
		"devDependencies": {
		@@ -33,6 +35,5 @@ "jshint": "*",
		"scripts": {
		"pretest": "jshint --config ./node_modules/yui-lint/jshint.json ./lib/",
		"test": "istanbul cover --print both vows -- --spec ./tests/*.js"
		"pretest": "jshint --config ./node_modules/yui-lint/jshint.json ./lib/",
		"test": "istanbul cover --print both vows -- --spec ./tests/*.js"
		}
		}

511

tests/test-restict.js

		@@ -10,5 +10,6 @@ /*
		var restrict = require('..');
		var errorMessage = "Function call [[command]] is prohibited in this environment.";
		// Add ls to whitelist
		restrict({
		'whitelist': ['ls', 'foo.bar'],
		'whitelist': ['ls', 'foo.bar', 'hello.js', '/usr/bin/who'],
		'whitelistPath': ['/bin', '/usr/bin']
		@@ -23,172 +24,238 @@ });
		var tests = {

		'testing restrict child_process methods': {

		'testing restrict child_process methods using spawn': {
		topic: function () {
		var self = this;
		try {
		require('child_process').spawn('grep',['BLA', './*']);
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		var self = this;
		var command = 'grep';
		try {
		require('child_process').spawn(command,['BLA', './*']);
		} catch (e) {
		self.callback(null, {
		'error': e,
		'command': command
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		assert.equal(topic.error.message, errorMessage.replace("[[command]]", topic.command));
		}
		},
		'testing restrict child_process methods whitelist': {
		'testing restrict child_process methods using exec': {
		topic: function () {
		var self = this;
		try {
		require('child_process').exec('ls');
		var self = this;
		try {
		require('child_process').exec('grep foo package.json');
		} catch (e) {
		self.callback(null, {
		'error': e,
		'command': 'grep'
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		assert.equal(topic.error.message, errorMessage.replace("[[command]]", topic.command));
		}
		},

		'testing restrict child_process methods using fork': {
		topic: function () {
		var self = this;
		var command = 'grep';
		try {
		require('child_process').fork(command,['BLA', './*']);
		} catch (e) {
		self.callback(null, {
		'error': e,
		'command': command
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		assert.equal(topic.error.message, errorMessage.replace("[[command]]", topic.command));
		}
		},

		'testing restrict child_process methods using execFile': {
		topic: function () {
		var self = this;
		var command = 'who';
		try {
		require('child_process').execFile(command,['BLA', './*']);
		} catch (e) {
		self.callback(null, {
		'error': e,
		'command': command
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		assert.equal(topic.error.message, errorMessage.replace("[[command]]", topic.command));
		}
		},

		'testing restrict child_process methods for commands which are whitelisted': {
		topic: function () {
		var self = this;
		try {
		require('child_process').exec('ls');
		require('child_process').exec('ls -l /tmp');
		require('child_process').spawn('ls', ['-lh', '/usr']);
		require('child_process').execFile('ls', ['-lh', '/usr']);
		require('child_process').fork('tests/fixtures/hello.js', ['--version']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error === undefined);
		}
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.isUndefined(topic.error);
		}
		},
		'testing restrict child_process methods relative whitelist': {

		'testing restrict child_process methods for commands which are whitelisted with relative path': {

		topic: function () {
		var self = this;
		try {
		require('child_process').exec('xyz/foo.bar',['-ltr']);
		require('child_process').exec('./foo.bar',['-ltr']);
		require('child_process').exec('../foo.bar',['-ltr']);
		require('child_process').exec('./tmp/foo.bar',['-ltr']);
		require('child_process').exec('foo.bar',['-ltr']);
		var self = this;
		try {
		['foo.bar', './foo.bar', '../foo.bar', 'xyz/foo.bar'].forEach(function(cmd) {
		require('child_process').exec(cmd + ' -arg1');
		require('child_process').spawn(cmd,['-arg1']);
		require('child_process').execFile(cmd,['-arg1']);
		});
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}

		},
		'verify error': function (topic) {
		assert.ok(topic.error === undefined);
		}
		},
		'testing restrict child_process methods whitelist absolute': {
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}

		},
		'verify error': function (topic) {
		assert.isUndefined(topic.error);
		}
		},
		'testing restrict child_process methods for commands which are whitelisted with absolute path': {
		topic: function () {
		var self = this;
		try {
		require('child_process').exec('/bin/ls',['-ltr']);
		var self = this;
		try {
		['/bin/ls', '/usr/bin/who'].forEach(function(cmd) {
		require('child_process').exec(cmd + ' -ltr');
		require('child_process').spawn(cmd,['-ltr']);
		require('child_process').execFile(cmd,['-ltr']);
		});
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}

		},
		'verify error': function (topic) {
		assert.ok(topic.error === undefined);
		}
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}

		},

		'verify error': function (topic) {
		assert.isUndefined(topic.error);
		}
		},
		'testing restrict kill method': {
		topic: function () {
		var self = this;
		try {
		process.kill(30);
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		var self = this;
		try {
		process.kill(30);
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		},
		'testing restrict _kill method': {
		topic: function () {
		var self = this;
		try {
		process._kill(process.pid, 30);
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		},
		var self = this;
		try {
		process._kill(process.pid, 30);
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		},
		'testing restrict process_wrap method': {
		topic: function () {
		var self = this;
		try {
		process.binding('process_wrap');
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		var self = this;
		try {
		process.binding('process_wrap');
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		},
		'testing restrict _linkedBinding for process_wrap method': {
		topic: function () {
		var self = this;
		try {
		(process._linkedBinding && process._linkedBinding('process_wrap')) \|\| process.binding('process_wrap');
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		},
		var self = this;
		try {
		(process._linkedBinding && process._linkedBinding('process_wrap')) \|\| process.binding('process_wrap');
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		},
		'testing restrict other binding method': {
		topic: function () {
		var self = this;
		try {
		process.binding('timer_wrap');
		var self = this;
		try {
		process.binding('timer_wrap');
		process._linkedBinding && process._linkedBinding('timer_wrap')
		self.callback(null, {
		error: null
		});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error === null);
		}
		self.callback(null, {
		error: null
		});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error === null);
		}
		},
		'testing restrict other process methods': {
		topic: function () {
		var self = this;
		try {
		var self = this;
		try {
		var memoryUsage = process.memoryUsage();
		self.callback(null, {
		'error': null,
		'output': memoryUsage
		});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error === null);
		}
		self.callback(null, {
		'error': null,
		'output': memoryUsage
		});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error === null);
		}
		}
		@@ -200,91 +267,101 @@ }
		topic: function () {
		var self = this;
		try {
		restrict.setWhitelist(['grep'], ['/bin', '/usr/bin']);
		require('child_process').spawn('grep',['BLA', './*']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error === undefined);
		}
		var self = this;
		try {
		restrict.setWhitelist(['grep'], ['/bin', '/usr/bin']);
		require('child_process').spawn('grep',['BLA', './*']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.isUndefined(topic.error);
		}
		},
		'testing restrict with setWhitelist child_process methods whitelist with full path': {
		topic: function () {
		var self = this;
		try {
		restrict.setWhitelist(['ls'], ['/bin', '/usr/bin']);
		require('child_process').spawn('/bin/ls', ['-lh', '/usr']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error === undefined);
		}
		var self = this;
		try {
		restrict.setWhitelist(['ls'], ['/bin', '/usr/bin']);
		require('child_process').spawn('/bin/ls', ['-lh', '/usr']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.isUndefined(topic.error);
		}
		},
		'testing restrict with setWhitelist child_process methods whitelist with not whitelist path': {
		topic: function () {
		var self = this;
		try {
		restrict.setWhitelist(['grep'], ['/bin', '/usr/bin']);
		require('child_process').spawn('/usr/bin64/grep',['BLA', './*']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error);
		}
		var self = this;
		var command = '/usr/bin64/grep';
		try {
		restrict.setWhitelist(['grep'], ['/bin', '/usr/bin']);
		require('child_process').spawn(command,['BLA', './*']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e,
		'command' : command
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error);
		assert.equal(topic.error.message, errorMessage.replace("[[command]]", topic.command));
		}
		},
		'testing restrict with setWhitelist child_process methods non-whitelist': {
		topic: function () {
		var self = this;
		try {
		restrict.setWhitelist(['grep'], ['/bin', '/usr/bin']);
		require('child_process').exec('ls',['-ltr']);
		var self = this;
		var command = 'ls';
		try {
		restrict.setWhitelist(['grep'], ['/bin', '/usr/bin']);
		require('child_process').exec(command,['-ltr']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error !== null);
		}
		} catch (e) {
		self.callback(null, {
		'error': e,
		'command': command
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error);
		assert.equal(topic.error.message, errorMessage.replace("[[command]]", topic.command));

		}
		},
		'testing restrict with setWhitelist with not arguments child_process methods non-whitelist': {
		topic: function () {
		var self = this;
		try {
		restrict.setWhitelist();
		} catch(e) {
		self.callback(null, {
		'error1': e
		});
		}
		try {
		require('child_process').exec('ls',['-ltr']);
		var self = this;
		var command = 'ls';
		try {
		restrict.setWhitelist();
		} catch(e) {
		self.callback(null, {
		'error1': e
		});
		}
		try {
		require('child_process').exec(command,['-ltr']);
		self.callback(null, {});
		} catch (e) {
		self.callback(null, {
		'error2': e
		});
		}
		},
		'verify error': function (topic) {
		assert.ok(topic.error1 === undefined);
		assert.ok(topic.error2 !== null);
		}
		} catch (e) {
		self.callback(null, {
		'error2': e,
		'command': command
		});
		}
		},
		'verify error': function (topic) {
		assert.isUndefined(topic.error1);
		assert.ok(topic.error2);
		assert.equal(topic.error2.message, errorMessage.replace("[[command]]", topic.command));
		}
		},
		@@ -291,0 +368,0 @@

.travis.yml

Sorry, the diff of this file is not supported yet

restrict - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics