Add support for (experimental) node policy file

docs/SECURITY.md

@@ -81,6 +81,18 @@ stick with using `./index.js` to launch the application instead of
 `node index.js`, as the former will automatically get new security
 flags as they are added.
 
+### Additional runtime flags
+
+To enable an (experimental) NodeJS feature for limiting the source
+files which can be loaded, you can set an environment variable:
+
+```
+NODE_OPTIONS='--experimental-policy=./policy.json'
+```
+
+(`policy.json` is provided in the same folder as `index.js` - if
+that is not the current directory, change the path to match)
+
 ## Data encryption
 
 All retro item data is encrypted in the database using aes-256-cbc,

scripts/e2e.sh

@@ -38,6 +38,7 @@ if [[ -z "$TARGET_HOST" ]]; then
   MOCK_SSO_PORT="$MOCK_SSO_PORT" \
   SERVER_BIND_ADDRESS="localhost" \
   DB_URL="memory://refacto?simulatedLatency=50" \
+  NODE_OPTIONS='--experimental-policy="'"$BUILDDIR/policy.json"'"' \
   node \
     --disable-proto throw \
     "$BUILDDIR/index.js" \

src/backend/package.json

@@ -6,7 +6,7 @@
     "lint:tsc": "tsc",
     "lint:prettier": "prettier --check .",
     "lint": "tsc && prettier --check .",
-    "build": "rm -rf build && rollup --config rollup.config.mjs && cp -r src/static build/static && chmod +x build/index.js",
+    "build": "rm -rf build && rollup --config rollup.config.mjs && cp -r src/static build/static && cp policy.json build && chmod +x build/index.js",
     "start": "npm run build && NODE_ENV=development build/index.js",
     "test": "lean-test --preprocess tsc --parallel"
   },

src/backend/policy.json

@@ -0,0 +1,9 @@
+{
+  "onerror": "throw",
+  "scopes": {
+    "./": {
+      "integrity": true,
+      "dependencies": true
+    }
+  }
+}