Skip to content

policy: add dependencies map for redirect and whitelisting #28767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
bmeck wants to merge 10 commits into from
Closed

policy: add dependencies map for redirect and whitelisting #28767

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
443b036
policy: add dependencies map for redirect and whitelisting
bmeck Jul 18, 2019
4cecf1c
Update doc/api/policy.md
bmeck Jul 20, 2019
1f1e8d8
add doc note about needing more mitigations
bmeck Jul 22, 2019
ae801f2
add tests and wildcards
bmeck Jul 22, 2019
3514dbc
slightly better docs
bmeck Jul 22, 2019
88c578c
fix ESM integration / tests
bmeck Jul 23, 2019
5774f78
lint nits
bmeck Jul 23, 2019
8a2e4a5
doc wording
bmeck Jul 24, 2019
282ed3f
doc wording
bmeck Jul 24, 2019
7452bb6
doc wording
bmeck Jul 24, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add doc note about needing more mitigations
  • Loading branch information
@bmeck
bmeck committed Jul 22, 2019
commit 1f1e8d8771fb66fb8bd7f981590a66121f589a3c
4 changes: 4 additions & 0 deletions doc/api/policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,10 @@ the manifest and then immediately be used without searching.
Any specifier missing from the list of dependency will result in an error
Comment thread
bmeck marked this conversation as resolved.
Outdated
Copy link
Copy Markdown
Contributor

@sam-github sam-github Jul 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does it mean for a specifier to be "missing"? do you mean "any string that is require()ed and not listed in the dependencies will result in an error"?

Copy link
Copy Markdown
Member Author

@bmeck bmeck Jul 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes.

Copy link
Copy Markdown
Member Author

@bmeck bmeck Jul 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i've put in your text but included the word specifier as it has a meaning that I feel is important.

according to the policy.

This will not prevent access to APIs through other means such as direct access
to `require.cache` and/or through `module.constructor`. Other means such as
attenuating variables are necessary to lock down that path of loading modules.
Copy link
Copy Markdown
Contributor

@sam-github sam-github Jul 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does "attenuation" mean wrt. JS variables?

Copy link
Copy Markdown
Member Author

@bmeck bmeck Jul 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attenuation is a term used in various meetings we have about SES / Realms / etc. in TC39 meetings. Attenuation equates roughly to providing a specialized view of a variable/object/module etc. For example an attenuated fs would be a fs implementation different from the normal one. Attenuating a variable would be replacing the value with one that has been given a different implementation such as removing access to module.constructor or require.cache.

Copy link
Copy Markdown
Member Author

@bmeck bmeck Jul 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i've rephrased this


#### Example: Patched Dependency

Since a dependency can be redirected, you can provide attenuated or modified
Expand Down