Naughty Programmer's Madness

    secure-fs-extra

    10.0.0-1 • Public • Published

    secure-fs-extra

    Drop in fs-extra replacement with secure defaults and controllable permissions.

    Node.js default modes for file (0o666) and directory (0o777) creation are insecure. They both grant world write access. This module enables easy file system interaction with secure modes by default. File creations use 0o600, owner RW. Directory creations use 0o700, owner RWX.

    World writable resources such as config files can allow other users to control program behavior. In some cases there's code injection through the config file, which can lead to privilege elevation. World writable directories have the same weakness since they allow adding files within them. A world writable config directory /etc/froznator/conf.d offers a route to controlling program behavior through a new config file. MITRE calls this CWE-732, one of the top 25 most dangerous vulnerabilities.

    Why?

    Because you want to be secure by default and loosen carefully when necessary.

    Usage

    $ npm install secure-fs-extra
    import fs from 'secure-fs-extra'
    
    // Full path created securely
    await fs.ensureDir('/var/froznator/queue')
    
    // File and full path created securely
    await fs.outputFile('/etc/froznator/conf.d/main.conf', 'AdminPassword=123')
    
    // File and full path created with carefully loosened permissions
    await fs.outputJSON('/srv/froznator/feed.json', feed, {
      mode: 0o640, // owner RW, group R
      dirMode: 0o750 // owner RWX, group RX
    })
    
    // Read sensitive data with confidence
    const config = await readConfig('/etc/froznator/conf.d/main.conf')
    if (password === config.AdminPassword) showAdminInterface()

    Methods

    Async

    Sync

    NOTE: You can still use the native Node.js methods. They are promisified and copied over to fs-extra. See notes on fs.read(), fs.write(), & fs.writev()

    Install

    npm i secure-fs-extra

    DownloadsWeekly Downloads

    2

    Version

    10.0.0-1

    License

    MIT

    Unpacked Size

    126 kB

    Total Files

    35

    Last publish

    Collaborators

    • dittyroma