Sandworm
HomepageGitHub
  • Sandworm Audit
    • Getting Started
    • How It Works
    • Configuration
    • Issue Types
    • Resolved Issues
    • License Policies
    • Fail Policies
    • Custom Registries
    • Chart Info
  • Sandworm Guard
    • Overview
    • Getting Started
    • Supported Methods
    • Enforcing Permissions
    • Describing Permissions
    • Caller Module Paths
    • Configuration
    • Bundlers & Sourcemaps
  • Snapshot Testing
  • Contributing
    • Code of Conduct
    • Security Policy
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Sandworm Guard

Enforcing Permissions

To use in production mode and start enforcing module API access restrictions, provide a permissions array to Sandworm.init:

const Sandworm = require('@sandworm/guard');
Sandworm.init({
    devMode: process.env.NODE_ENV === 'development',
    permissions: [{module: 'react-use', permissions: ['Storage.getItem', 'Storage.setItem']}],
});
  • Update the devMode config to reflect your environment by using environment vars or any other available signal;

  • Provide an array of permission descriptors in the form of objects with a module name and a permissions array of strings corresponding to the allowed methods.

  • The inspector can generate a baseline permissions array for you based on the activity captured in dev mode.

When detecting an unauthorized execution attempt, Sandworm throws a SandwormError. Besides the message attribute, this error object also includes more details about the event:

  • module: the invoking module name or path

  • method: the invoked method, for example fs.readFile

Note that errors might be swallowed by third party code and not reach root level, so catching a SandwormError, while recommended, will not always work. To make sure your app code gets notified about every unauthorized execution, use the onAccessDenied configuration option to register a callback method that will always be triggered right before Sandworm throws, and passed the SandwormError object as an argument.

const Sandworm = require('@sandworm/guard');
Sandworm.init({
    devMode: process.env.NODE_ENV === 'development',
    permissions: [...],
    onAccessDenied: (error) => {
      trackOrLogError(error.module, error.method);
    },
});
PreviousSupported MethodsNextDescribing Permissions

Last updated 2 years ago

Was this helpful?