Setting allowList dynamically from data base

General
1

Hi!

I'm running node-red using docker. On node-red starting, I would like to set the settings.externalModules.palette.allowList using values from a data base.

For now, i use the storageModule. In the exported module, I use init to make an api call and
then modify the settings fed into the module.

What is the "correct" or best way to go about doing this?

2

A couple of things to check first.

  1. You realise that changing the Node-RED settings from within Node-RED is dangerous right?
  2. Do you realise that you have to restart Node-RED to pick up the changed settings?
3

Thank you for the response!

  1. Could you elaborate on why changing Node-RED settings from within Node-RED is dangerous? I am in control of the data base and the only change is to set the allowList.

  2. Yes, the allowList should be set whenever node-red is restarted / on startup.

4

Sure. The settings.js file controls the base settings of Node-RED. That includes all of the key security settings.

So if you allow Node-RED to make changes to its own settings, anyone/anything that manages to get access to your flows can undo any security that you have baked in.

It is all too easy to make assumptions (e.g. you are the only person with access maybe). But these can drift over time and mistakes happen - we've seen plenty of cases where bad actors have managed to get access to Node-RED flows that people thought only they had access to.

So Secure by Design principals would dictate that you don't allow Node-RED to make changes to itself. And similarly that you control what access Node-RED has to the rest of your server and other resources.

Having a Node-RED flow that makes changes to the allowList is, at the end of the day, pretty pointless from a security perspective.