[Feature idea] Default config that scopes permissions to project folders
berstend opened this issue · comments
To make using node-safe
more frictionless we could add support for a "default" ~/.node-safe/.node-safe.json
file.
Whenever node-safe
(or node
when using the shell integration) or the package managers are called and no custom permissions (cli, envs, local .node-safe.json
) are found we could fallback to that global default config.
The config itself would use permissive [project]/**
permissions, which mean they would allow most things but confine them to the project directory (the one that contains the package.json
or the cwd
if no package.json
is found).
That would result in much better security by default, while not necessarily having to configure anything for typical projects (which would still be possible though).
Note: If in addition custom permissions are provided (cli, envs, local .node-safe.json
) we would ignore the default file and not merge it, as otherwise we'd need to support disable-net
commands and the like.
Possible default permissions:
{
"node": {
"allow-read-write": "[project]/**,[temp]/**",
"allow-run": "[project]/**,[bin]/**",
"allow-net": true
}
}