Add a configurable node_modules allow-list (#47)

Adds an allow-list for node_modules that directly load user code
and so are suitable scripts to use with --inspect.  Additional
modules can be included by adding them to the WRAPPER_ALLOWED
environment variable, separated by spaces.

Author: briandealwis

nodejs/wrapper.go

@@ -22,6 +22,11 @@ limitations under the License.
 // script, this wrapper strips out and propagates `--inspect`-like arguments
 // via `NODE_DEBUG`.  When executing an app script, this wrapper then inlines
 // the `NODE_DEBUG` when found.
+// 
+// A certain set of node_modules scripts are treated as if they are application scripts.
+// The WRAPPER_ALLOWED environment variable allows identifying node_modules scripts
+// that should be treated as application scripts, meaning that they load and execute
+// the user's scripts directly. 
 package main
 
 import (
@@ -37,6 +42,9 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// the next.js launcher loads user scripts directly
+var allowedNodeModules = []string{"node_modules/.bin/next"}
+
 // nodeContext allows manipulating the launch context for node.
 type nodeContext struct {
 	program string
@@ -47,7 +55,7 @@ type nodeContext struct {
 func main() {
 	env := envToMap(os.Environ())
 	logrus.SetLevel(logrusLevel(env))
-	
+
 	logrus.Debugln("Launched: ", os.Args)
 
 	// suppress npm warnings when node on PATH isn't the node used for npm
@@ -79,31 +87,36 @@ func run(nc *nodeContext, stdin io.Reader, stdout, stderr io.Writer) error {
 		return fmt.Errorf("could not unwrap: %w", err)
 	}
 	logrus.Debugln("unwrapped: ", nc.program)
-	
+
 	if !isEnabled(nc.env) {
 		logrus.Info("wrapper disabled")
 		return nc.exec(stdin, stdout, stderr)
 	}
 
-	// Use an absolute path in case we're being run within a node_modules directory
-	// If there's an error, then hand off immediately to the real node.
+	// script may be "" such as when the script is piped in through stdin
 	script := findScript(nc.args)
-	if abs, err := filepath.Abs(script); err == nil {
-		script = abs
-	} else {
-		logrus.Warn("could not access script: ", err)
-		return nc.exec(stdin, stdout, stderr)
-	}		
+	if script != "" {
+		// Use an absolute path in case we're being run within a node_modules directory
+		// If there's an error, then hand off immediately to the real node.
+		if abs, err := filepath.Abs(script); err == nil {
+			script = abs
+		} else {
+			logrus.Warn("could not access script: ", err)
+			return nc.exec(stdin, stdout, stderr)
+		}
+	}
 	logrus.Debugln("script: ", script)
 
+	// If NODE_DEBUG is set then our parent process was this wrapper, and
+	// NODE_DEBUG contains the --inspect* argument provided back then.
 	nodeDebugOption, hasNodeDebug := nc.env["NODE_DEBUG"]
 	if hasNodeDebug {
 		logrus.Debugln("found NODE_DEBUG=", nodeDebugOption)
 	}
 
-	// if we're about to execute the application script, install the NODE_DEBUG
+	// If we're about to execute the application script, install the NODE_DEBUG
 	// arguments if found and go
-	if isApplicationScript(script) || script == "" {
+	if script == "" || isApplicationScript(script) || isAllowedNodeModule(script, nc.env) {
 		if hasNodeDebug {
 			nc.stripInspectArgs() // top-level debug options win
 			nc.addNodeArg(nodeDebugOption)
@@ -255,6 +268,23 @@ func isApplicationScript(path string) bool {
 		!strings.HasSuffix(path, "/bin/npm")
 }
 
+// isAllowedNodeModule returns true if the script is an allowed node_module, meaning
+// one that is or directly launches the user's code.
+func isAllowedNodeModule(path string, env map[string]string) bool {
+	allowedList := allowedNodeModules
+	if v, found := env["WRAPPER_ALLOWED"]; found {
+		split := strings.Split(v, " ")
+		allowedList = append(allowedList, split...) 
+	}
+	for _, allowed := range allowedList {
+		if strings.HasSuffix(path, allowed) {
+			logrus.Infof("script %q matches %q from allowed node_modules", path, allowed)
+			return true
+		}
+	}
+	return false
+}
+
 // envToMap turns a set of VAR=VALUE strings to a map.
 func envToMap(entries []string) map[string]string {
 	m := make(map[string]string)

nodejs/wrapper_test.go

@@ -146,6 +146,30 @@ func TestIsApplicationScript(t *testing.T) {
 	}
 }
 
+func TestIsAllowedNodeModule(t *testing.T) {
+	tests := []struct {
+		script   string
+		env      map[string]string
+		expected bool
+	}{
+		{"./node_modules/lib/script.js", nil, false},
+		{"./node_modules/.bin/next", nil, true},
+		{"node_modules/nodemon/nodemon.js", nil, false},
+		{"node_modules/nodemon/nodemon.js", map[string]string{"WRAPPER_ALLOWED": "foo bar"}, false},
+		{"node_modules/nodemon/nodemon.js", map[string]string{"WRAPPER_ALLOWED": "nodemon/nodemon.js"}, true},
+		{"node_modules/nodemon/nodemon.js", map[string]string{"WRAPPER_ALLOWED": "foo nodemon/nodemon.js bar"}, true},
+	}
+
+	for _, test := range tests {
+		t.Run(test.script, func(t *testing.T) {
+			result := isAllowedNodeModule(test.script, test.env)
+			if result != test.expected {
+				t.Errorf("expected %v but got %v", test.expected, result)
+			}
+		})
+	}
+}
+
 func TestEnvFromMap(t *testing.T) {
 	tests := []struct {
 		description string
@@ -535,7 +559,7 @@ done
 		},
 
 		// node_module scripts should have --inspect stripped and propagated,
-		// and NODE_DEBUG should never be overwritten
+		// and NODE_DEBUG should never be overwritten, EXCEPT for allowed modules
 		{
 			description: "node_modules script: passed through",
 			args:        []string{"node_modules/script.js"},
@@ -552,6 +576,17 @@ done
 			env:         map[string]string{"WRAPPER_ENABLED": "0"},
 			expected:    "--inspect=9229\n./node_nodules/script.js\n",
 		},
+		{
+			description: "node_modules script: inspect left alone for next.js launcher",
+			args:        []string{"--inspect=9229", "./node_nodules/.bin/next"},
+			expected:    "--inspect=9229\n./node_nodules/.bin/next\n",
+		},
+		{
+			description: "node_modules script: inspect left alone with WRAPPER_ALLOWED=script.js",
+			args:        []string{"--inspect=9229", "./node_nodules/script.js"},
+			env:         map[string]string{"WRAPPER_ALLOWED": "script.js"},
+			expected:    "--inspect=9229\n./node_nodules/script.js\n",
+		},
 		{
 			description: "node_modules script with inspect: seeds NODE_DEBUG",
 			args:        []string{"--inspect", "node_modules/script.js"},