Skip to main content
Version: 2.8.1

๐Ÿ” Security

๐Ÿ›ก๏ธ Security & Isolation

Security implications, isolation mechanisms, and safe usage patterns for reactions.

๐Ÿ”’ Security & Isolationโ€‹

๐Ÿ” JavaScript Isolationโ€‹

  • Each reaction runs in a separate V8 context
  • Memory isolation prevents code interference
  • Helper functions provide controlled system access
  • No direct system call access

๐ŸŒ Network Policy Integrationโ€‹

  • Network blocking functions require netpolicy feature enabled
  • Automatic validation of network helper usage
  • Graceful degradation when netpolicy unavailable

๐Ÿ“ File System Securityโ€‹

  • Temporary directories created with 0700 permissions
  • Restricted to safe temporary locations
  • Automatic cleanup after execution

โš ๏ธ Error Handlingโ€‹

  • Comprehensive error codes for all operations
  • Detailed error messages for debugging
  • Graceful failure modes

๐Ÿ” Security Considerationsโ€‹

โœ… Input Validationโ€‹

Always validate data before using it in operations:

reactions:
  - format: js
    code: |
      function process(data) {
        // Validate input data
        if (!data || !data.process) {
          Error("Invalid event data received");
          return;
        }

        // Sanitize strings before logging
        let cmd = data.process.cmd || "unknown";
        if (cmd.length > 1000) {
          cmd = cmd.substring(0, 1000) + "... (truncated)";
        }

        Info("Process: " + cmd);
      }

๐Ÿ“ File Path Securityโ€‹

Be careful with file operations:

reactions:
  - format: js
    code: |
      function process(data) {
        // Validate file paths
        let filePath = data.file ? data.file.file : "";

        // Ensure we're not writing to sensitive locations
        if (filePath.startsWith("/etc/") || filePath.startsWith("/sys/")) {
          Error("Attempted to write to sensitive location: " + filePath);
          return;
        }

        // Use safe temporary directories
        let tmpDir = CreateTempDir("evidence-*");
        if (tmpDir !== "") {
          let safePath = tmpDir + "/safe-evidence.json";
          WriteFile(safePath, JSON.stringify(data));
        }
      }

Network Securityโ€‹

Network operations should be used judiciously:

reactions:
  - format: js
    code: |
      function process(data) {
        // Only block external IPs, not internal infrastructure
        if (data.background && data.background.flows) {
          // Extract remote IPs
          let remoteIps = [];
          // ... extraction logic ...

          for (let ip of remoteIps) {
            // Don't block internal network ranges
            if (!ip.startsWith("10.") && 
                !ip.startsWith("192.168.") && 
                !ip.startsWith("172.16.")) {
              NetBlockIp(ip);
            }
          }
        }
      }