We are building an app that allows users to build and use their own plugins. Our plugin system works just like regular node modules by leveraging this code to require a plugin:
function requireFromString(src, filename) {
var m = new module.constructor();
m.paths = module.paths;
m._compile(src, filename);
return m.exports;
};
requireFromString(`
function main() {
console.log('Hello, World!');
}
module.exports = main;
`, 'mymodule.js')
// credit https://stackoverflow.com/questions/17581830/load-node-js-module-from-string-in-memory (answer by Dominic)
Now I am wondering how we can implement a bit of security in this approach. Since it's possible users might share their modules with other users, we want to attempt to prevent the authors from doing something malicious to another user. Is there a recommended way to blacklist certain modules or permissions in Node?
For example, the plugins will never need to write files to the end user's OS. Can this permission be denied for the plugin? For example blocking the plugin from requireing the fs module?
