secure-fs v1.0.2
secure-fs
Drop in fs replacement with secure defaults.
Node.js default modes for file (0o666) and directory (0o777) creation are insecure. They both grant world write access. This module enables easy file system interaction with secure modes by default. File creations use 0o600, owner RW. Directory creations use 0o700, owner RWX.
World writable resources such as config files can allow other users to control program behavior. In some cases there's code injection through the config file, which can lead to privilege elevation. World writable directories have the same weakness since they allow adding files within them. A world writable config directory /etc/froznator/conf.d offers a route to controlling program behavior through a new config file. MITRE calls this CWE-732, one of the top 25 most dangerous vulnerabilities.
Usage
$ npm install secure-fsimport fs from 'secure-fs/promises'
// Directory created securely
await fs.mkdir('/etc/froznator/conf.d')
// File created securely
await fs.writeFile('/etc/froznator/conf.d/main.conf', 'AdminPassword: 123')
// Read sensitive data with confidence
const config = await readConfig('/etc/froznator/conf.d/main.conf')
if (password === config.AdminPassword) showAdminInterface()