Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent confidential data from being included in WebPack bundles

Tags:

I'm worried that, by ommission, modules containing secrets like database passwords or session keys could be included in WebPack or Browserify bundles.

Even if I don't import those modules directly, I could accidentally import them indirectly from the client-side entrypoint module.

Is there a way to blacklist such files so that those bundlers will refuse to bundle them? As willing as one might be to follow best practices that could avoid problems like this, it would be nice to have such a safety net.

like image 822
Gui Prá Avatar asked Aug 02 '16 18:08

Gui Prá


People also ask

What is chunking in webpack?

Chunk: This webpack-specific term is used internally to manage the bundling process. Bundles are composed out of chunks, of which there are several types (e.g. entry and child).

What are 4 core concept of webpack?

There are four basic concepts in webpack: entry , output , modules and plug-ins . These configurations are added in webpack.

How does webpack bundling work?

When webpack processes your application, it internally builds a dependency graph from one or more entry points and then combines every module your project needs into one or more bundles, which are static assets to serve your content from.

What is external in webpack?

The Webpack Externals are used to ignore the packages from the application while bundling and adding them as external CDN script references. This article provides a step-by-step introduction to creating a simple react application and configuring the Syncfusion react packages with Externals.


1 Answers

When importing files via loaders, you can choose either to blacklist or whitelist directories through the include and exclude properties. These can be a RegEx or absolute paths.

A simple example

The following prevents any JavaScript file from being included in the bundle that exists in the ./secret directory.

 var path = require('path');
        module.exports = {
          // Configuration omitted for brevity
          module :{
            loaders : [
                { 
                  test: /\.js$/, 
                  loader: "script",
                  exclude : path.resolve(__dirname, './secret')  // Exclude secret directory
                },
                { 
                  test: /\.css$/, 
                  loader: "style!css" 
                }
            ]
          }
        };

Complex example applying filters for all loaders

If you wanted to prevent files from the ./secret directory from being accidentally imported, and only allow files within that contain src you could do the following.

var path = require('path');
var blackList = [ path.resolve(__dirname, './secret') ];
var whiteList = [ /src/ ]; // Allow only directories containing "src"

var config = { 
...
/// Webpack configuration
};

// Apply whitelisting and blacklisting for all loaders
config.module.loaders.forEach(function(loader)
{
   loader['exclude'] = [...(loader['exclude'] || []), ...blackList];
   loader['include'] = [...(loader['include'] || []), ...whiteList];
});

module.exports = config;

The example is a bit complex, but it should give you a good idea how to perform it. In a nutshell, loop though your loaders and append additional includes/excludes as needed.

Bonus: Give type to your secret data

If you do have confidential data existing in your code base, I suggest providing a type to the filename. For example, if your file was named sqlconnections.js I would rename it to sqlconnections.confidential.js. Then I would add an exclude RegEx pattern of /\.confidential\.js$/ to my loaders. This creates a convention that can be reused across your code base.

like image 166
cgatian Avatar answered Sep 29 '22 18:09

cgatian