[英]Prevent all outgoing requests from NodeJS server?
Is there any existing technique or npm package that can prevent all outgoing requests from a NodeJS server, allowing only responses to incoming requests? 是否有任何现有技术或npm软件包可以阻止NodeJS服务器发出的所有传出请求,仅允许对传入请求进行响应? This could prevent phone-home type attacks in deep dependencies missed in security audits. 这可以防止在安全审核中遗漏的深层依赖中的电话家庭类型攻击。
A firewall. 防火墙。
That's truly the only way. 那确实是唯一的方法。 Remember though that there is nothing stopping some code from accepting commands from clients connecting to it. 请记住,虽然没有什么能阻止某些代码接受来自与其连接的客户端的命令。
Have a look at 看一下
The first link shows a firewall rule bound to a particular user. 第一个链接显示绑定到特定用户的防火墙规则。 Easy and simple. 简单容易。 Why use another npm module with deep dependencies you don't want to trust ;-) 为什么要使用另一个您不想信任的具有深层依赖关系的npm模块;-)
If you're looking for pure node.js solution, you can do something like that. 如果您正在寻找纯粹的node.js解决方案,则可以执行类似的操作。
Using some module like mockery
you can limit what calls your javascript module can do to node.js core. 使用诸如mockery
模块,您可以将您的javascript模块可以执行的操作限制为node.js核心。 For example, if you override require('net').connect
, it'll make harder for malicious code to execute something. 例如,如果您覆盖require('net').connect
,那么恶意代码将很难执行某些操作。
I don't know of any existing solutions, but it's definitely possible, and I'd really like to see one. 我不知道任何现有的解决方案,但是绝对有可能,我真的很想看到一个解决方案。
That said, the generic approaches to this problem are completely outside of node.js scope: 也就是说,解决此问题的通用方法完全不在node.js范围内:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.