Guardia
Javascript library for the Specification and Enforcement of Security Policies at application level.
Description
- TODO
Install
GUARDIA depends on some external libraries. Make sure you include these libraries before guardia:
- trait.js @ npm
Usage
Guardia is an internal DSL as such you need an entry point to the features offered by the language. The next code snippet shows how to do it.
'use strict';const G = ;
Guardia's API comprises a set of properties and a set of combinators that allows to compose those properties in more complex ones.
Construct | Description |
---|---|
Allow(arr : Array) => TBase | Allow the execution of the supplied properties |
Deny(arr : Array) => TBase | Deny the execution of the supplied properties |
Not(p: TBase) => TBase | Negates the result of the policy given as parameter |
And(pArr: Array) => TBase | Perform logical AND using policies given as parameters |
Or(pArr: Array) => TBase | Perform logical OR using policies given as parameters |
ParamAt((...ps)=> Boolean, pIdx: Number, arr : Array) => TBase | Apply a function to one parameter of the actual execution |
StateFnParam((...ps)=> Boolean,s: String, arr : Array) => TBase | Apply a function to one state during an execution step |
getVType(idx: Number, fn : Function) => Object | Returns an object in the following way fn(params[idx]) , where params is injected by the enforcement mechanism. |
Policy Specification
To declare a policy you should make a property using the constructs provided by Guardia. For example, let say that the execution of alert() is forbidden in or application. For this we can use Deny or a combination of Not(Allow(...)).
const denyAlert = G;const denyAlert2 = G;
Declaring a property is not enough, you need to deploy in the object that you want to protect. To do that you need to use installPolicy(policyObj)
method. This method receive a policy configuration object that contains four fields. installPolicy(policyObj)
returns an object that contains on(target)
method that receive the object that you want to protect.
const policyObj = whenRead : denyAlert //whenWrite : [..] //readListeners : [..] //writeListeners : [..] protectedTarget = G;
Allow
const allowedProperties = G;
Deny
const forbiddenProperties = G;
Not
const forbiddenProperties = G
ParamAt
const noIframeCreation = G;
Example # 1
Te first example aims to prevent the creation of boxes like alert()
.
const noAlert = G;G; //then try to use alert methodwindow;
Deny([...])
have the same behavior as Not(Allow([...]))
. The next example how to use Allow([...])
for white list access to properties or methods of the target object.
let account = amount: 1000 { return thisamount; } { thisamount = thisamount + x; } const justAllow = G;const noOverride = G;account = G; protectedAccount;protectedAccount; protectedAccountamount = 1234; // throws an exceptionconsole; // throws exception
In the previous example we are able to protect the account
object. But we desire to prevent negative values flowing to deposit()
. For this knd of behavior GUARDIA provide us with ParamAt()
.
const ge = { return a > b };const justAllow = G;const noOverride = G; account = G; account; // throws an execption