sandworm-hq / sandworm-guard-js Goto Github PK

Currently, with the default setting of ignoreExtensions: true:

• any call path that starts with an extension url is labeled as root;
• call paths that include but do not start with extension urls are still captured.

What is expected:

• when ignoreExtensions is true, any call path that includes extensions should be passed through with no capturing or tracking.

Manage releases via https://github.com/googleapis/release-please/ and our CircleCI pipeline.

Closes #24

Many of our unit tests are currently batched together. This makes errors harder to debug and running specific tests impossible. Many tests are also opaque, and lack a proper description of what's being tested.

We should:

• structure the specs so that each function is tested individually, in a test with a relevant description
• add jsdom as an execution env to test browser-specific functionality

CI should fail if lint issues are present in the code.

The SandwormError being thrown on access denied can get swallowed by any dependency before it's able to reach root.

We should allow users to provide a custom callback that gets invoked before the error being thrown, so root-level code can always know about access denied issues.

We've explored the idea of supporting the collection of anonymous reports from the inspector, including the module name and the family and method invoked. This would bring several mid and long term benefits:

• we would then be able to build an open-source catalogue of per-package permission reqs, collected from Sandworm running in real-life apps;
• this would make it easier to audit packages without needing to run code, as users could rely on common knowledge about a package's requirements
• we could make setting up Sandworm easier, as we could suggest required permissions for all installed packages
• we could start looking at anomaly detection

We should start with a simple serverless raw ingestion setup for events.
Users should be informed about what & why we track, and should be able to easily opt out.

Currently, our library descriptors include description and url props that are not used by the core library, and are only used:

• by the inspector React app, to build detailed representations for permissions
• by the generate-library-md script, to build LIBRARY.md

This adds a lot of bulk to the Sandworm lib, and should be excluded from the build.

We should let users know about the inspector sending anonymous data to the permission db, and how to disable it.

Our current sourcemap parsing engine, source-map-js, is a fork of the original Mozilla module, but with several optimizations and without WASM.

This is not ideal because:

• Source map processing makes up for more than 2/3 of our bundle size
• source-map-js also bundles a generator that we don't need
• it uses new Function() internally, which is potentially dangerous

Ideally, we should be able to internally parse sourcemaps, and remove this single dependency that Sandworm currently has.

Since we're using Release Please to put our releases together, we should also enforce the usage of conventional commits, since the changelog and semver rely on that.

Some Node methods internally invoke other Node methods from our library as part of their standard execution process.
For example:

• require itself calls a number of methods, like fs.openSync or vm.compileFunction;
• https.request internally calls dns.lookup.

Create a cache for the stack line parser, so we can increase performance by reducing regex match calls.

We should allow segmenting root code into multiple "virtual" modules based on the file path.
This would enable easier auditing of specific portions of the root code. For example, when running tests, we could discern between calls being made from the core code and calls being made from testing infrastructure.