Re-visiting the file node ahead of 0.20 I'm thinking that we ought to add a blocklist capability to allow the owner to stop the file node from reading and writing where maybe it shouldn't. Right now the file node can potentially read any file that it has operating system permission to access.
I'm thinking that the filename should be checked to see if it's path or filename is blocked before reading or writing is allowed. By using a glob engine like micromatch (https://github.com/micromatch/micromatch) we could allow matching to both directories (like /etc) or files (like the settings.js file) in an easy to use way.
I think that there are two things to consider... some should be hard-coded into the node (ie can't be undone) and some should be specifiable in settings.js so users can remove the initial default list and allow more potentially dangerous actions. I'm thinking the Node-RED user directory should be hard-coded, and things like /etc/ ~/.ssh/ soft-coded.
So - thoughts please - and what/where should be hardcoded and what/where user settable but default.