search

puresec / FunctionShield

A Serverless Security Library for Developers. Regain Control Over Your AWS Lambda & Google Cloud Functions Runtimes.
Other
39 stars 12 forks source link

What prevents Malicious code from disabling Function Shield? #3

Closed nbarraille closed 5 years ago

nbarraille commented 5 years ago

As it seems you're allowed to call FunctionShield.configure multiple times, what prevents Malicious code from re-allowing accesses before trying to make outbound network calls?

0xh0b0 commented 5 years ago

In FunctionShield v2.0.0 you need to add an additional parameter cookie to any subsequent call to FunctionShield.configure

const FunctionShield = require("@puresec/function-shield");
const got = require("got");
const cookie = FunctionShield.configure({
    policy: {
        outbound_connectivity: "block",
        read_write_tmp: "block",
        create_child_process: "block",
        read_handler: "block"
    },
    token: process.env.FUNCTION_SHIELD_TOKEN
});

exports.hello = async (event) => {
    ...
    FunctionShield.configure({
        cookie: cookie,
        policy: {
            outbound_connectivity: "allow"
        }
    });

    const response = await got("https://api.company.com/users");

    FunctionShield.configure({
        cookie: cookie,
        policy: {
            outbound_connectivity: "block"
        }
    });
    ...
};