Node-Red security

304 views
Skip to first unread message

Chris Morris

unread,
Aug 26, 2015, 11:52:51 AM8/26/15
to Node-RED
I was pleased to read "When a message arrives, the code is wrapped into a full function declaration and then run within a secure sandbox."

Is there an architecture document for Node-RED, or a security assessment? Something stating the security qualities designed in, and maybe the threat model that the architecture assumes? It would be great to read it.

We are finding Node Red great as a development tool for IoT, but I'm unclear on the security issues involved in using it in a production role.

regards,
Chris Morris

Chris Morris

unread,
Aug 27, 2015, 9:37:51 AM8/27/15
to Node-RED
Further to this, I see that 80-function.js uses the "vm" module to make sandboxes. 

This is a good start. However, a quick test shows that code sandboxed this way can still exploit the bind vulnerability described here: https://blog.liftsecurity.io/2015/04/27/when-this-is-really-that. The code in 80-function.js also deliberately passes the util object to the "sandboxed" code, leading to other vulnerabilities. 

The blog quoted says "The impact here is that a useful Node.js sandbox without VM/OS level isolation will never be secure.", and the documentation of vm says: "Note that running untrusted code is a tricky business requiring great care. script.runInContext is quite useful, but safely running untrusted code requires a separate process.

I'm not sure that this is correct. See http://arxiv.org/abs/1506.07813 for a robust approach to sandboxing javascript code. To avoid the vulnerability above, it would avoid passing global.Function.bind into the sandboxed process. The authors use a type system argument to demonstrate that the set of exclusions they propose is adequate.

For these tests, I am running with --harmony_modules --harmony_proxies.

Julian Knight

unread,
Aug 30, 2015, 8:24:03 AM8/30/15
to Node-RED
Hi Chris, I expect Nick/Dave will chip in at some point after holidays.

From my own perspective, I'd have to say that NR cannot be considered for high-security production use as it stands. That, of course, was never it's intention as far as I can tell as an outsider so that isn't particularly a criticism, simply an observation.

I would also say that, since NR is based around Node.JS, Node itself is in a similar place as indicated by the fact that it has remained in "beta" state for many years now.

I think that, to run in production with a reasonable expectation of security, you would probably need a number of technologies to support:
  1. Ensure that all web interactions (including websockets) are properly filtered and sanitised
  2. Run NR in embedded form using Node.JS security features (e.g. logins)
  3. Run behind a secure web frontend such as NGINX with Phusion Passenger (which you can also use to keep the whole thing running, restarting automatically on failure and running as a cluster if needed)
  4. Run the whole thing in a container (Docker?) to help isolate the code from the host OS
Then get a specialist to do at least a comprehensive penetration test on the whole configuration.

Just a few thoughts anyway, my use of NR and Node.JS are mainly personal rather than professional so I can't claim to be an expert in their security. Hope they are helpful.
Reply all
Reply to author
Forward
0 new messages