berstend / node-safe

🤠 Make using Node.js safe again with Deno-like permissions
https://node-safe.com
205 stars 8 forks source link

[Feature idea] Default config that scopes permissions to project folders #2

Open berstend opened 2 years ago

berstend commented 2 years ago

To make using node-safe more frictionless we could add support for a "default" ~/.node-safe/.node-safe.json file.

Whenever node-safe (or node when using the shell integration) or the package managers are called and no custom permissions (cli, envs, local .node-safe.json) are found we could fallback to that global default config.

The config itself would use permissive [project]/** permissions, which mean they would allow most things but confine them to the project directory (the one that contains the package.json or the cwd if no package.json is found).

That would result in much better security by default, while not necessarily having to configure anything for typical projects (which would still be possible though).

Note: If in addition custom permissions are provided (cli, envs, local .node-safe.json) we would ignore the default file and not merge it, as otherwise we'd need to support disable-net commands and the like.

Possible default permissions:

{
  "node": {
    "allow-read-write": "[project]/**,[temp]/**",
    "allow-run": "[project]/**,[bin]/**",
    "allow-net": true
  }
}