Where's the "Sandbox" then? Running commands

I was just playing with speedtest and it was suggested I use a Ubuntu command speedtest-cli

I installed it and it is installed in /usr/bin/

And - surprisingly to me in some ways - it works when I put it in the exec node.

WHY?

I thought node-red was sandboxed to it's directory and sub-folders.

Not super concerning, but just to help me learn.
:slight_smile:

An exec node can do anything that the user running node red can do. The sandbox is for the function node.

Can you expand on this?
This flow runs OS commands with execSync() in a function node.
I don't think I have made any changes in settings.js to enable this.

[{"id":"f25f5b82ef69d0c5","type":"function","z":"24571e38fbe87e0f","name":"function 10","func":"try {\n    msg.payload = childProcess.execSync(msg.payload).toString().trim();\n} catch (err) {\n    // If there's an error, attach it to the message\n    msg.payload = `Error executing command: ${err.message}`;\n}\n\nreturn msg;","outputs":1,"timeout":0,"noerr":0,"initialize":"","finalize":"","libs":[{"var":"childProcess","module":"child_process"}],"x":670,"y":100,"wires":[["32aad220a2dded1f"]]},{"id":"f59cde23e2bc699e","type":"inject","z":"24571e38fbe87e0f","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"whoami","payloadType":"str","x":510,"y":100,"wires":[["f25f5b82ef69d0c5"]]},{"id":"32aad220a2dded1f","type":"debug","z":"24571e38fbe87e0f","name":"debug 4","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":680,"y":140,"wires":[]},{"id":"eecb5aa49634c09c","type":"inject","z":"24571e38fbe87e0f","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"sudo whoami","payloadType":"str","x":490,"y":140,"wires":[["f25f5b82ef69d0c5"]]}]

It is sandboxed from the node process running node-red. It uses the node VM

if you use process exec or spawn, etc, you can still do things like access the system. That is why you should always use a service account with just the right amount of permissions to do what you want to let node-red do to your system.

1 Like

Thanks Steve.

And it is also important to know the 'sandbox' the Function node runs code in is not a completely secure sandbox. It prevents casual access to things that shouldn't be accessed, but JavaScript provides many ways to circumvent it.

1 Like

Thanks all.

This came about because of what was mentioned in the first post.

So - to confirm I understand:
NR can run any command I can (non root).

Now to (sorry) digress....
So where does the public directory configured in the settings fit in?

Is that the ..... root directory for any file I/O?
Though if it is the root: why is it I have to keep putting in the full path from THE root (top) directory?

eg:
/home/me/.node-red/public/(what ever)
and not just (what ever)?