|
1 | | -# File System Security Experiment |
| 1 | +# File System Access Example |
2 | 2 |
|
3 | | -This React Native application demonstrates potential security vulnerabilities in multi-instance environments by testing file system access between the host app and sandboxed instances. |
| 3 | + |
4 | 4 |
|
5 | | -## 🎯 Purpose |
| 5 | +This example demonstrates how to enable file system access in multi-instance environments by whitelisting the necessary native modules. The application shows how sandboxed React Native instances can be configured to access file system APIs when explicitly allowed. |
6 | 6 |
|
7 | | -This example tests whether sandboxed React Native instances can: |
8 | | -- Access files created by the host application |
9 | | -- Access files created by other sandbox instances |
10 | | -- Modify or overwrite files from other instances |
11 | | -- Share storage space across different React Native instances |
12 | | - |
13 | | -## 🔧 Dependencies |
14 | | - |
15 | | -This example uses two popular React Native file system libraries: |
| 7 | +The experiment uses two popular React Native file system libraries: |
16 | 8 | - **react-native-fs** - Traditional file system operations |
17 | 9 | - **react-native-file-access** - Alternative file system API |
18 | 10 |
|
19 | | -## 📱 Features |
20 | | - |
21 | | -### Host Application |
22 | | -- 🏠 Main app instance with full file system testing controls |
23 | | -- 📊 Real-time activity logs showing all file operations |
24 | | -- ⚠️ Security breach alerts when sandbox accesses host files |
25 | | -- 🏖️ Creates 3 sandbox instances for testing |
26 | | - |
27 | | -### Sandbox Instances |
28 | | -- 🏖️ Isolated React Native instances with same file system testing capabilities |
29 | | -- 🔍 Attempts to access host and other sandbox files |
30 | | -- 📝 Independent logging of file operations |
31 | | -- 🚨 Highlights potential security breaches |
32 | | - |
33 | | -## 🧪 Test Scenarios |
34 | | - |
35 | | -### 1. Basic File Operations |
36 | | -- Create, read, write files in documents directory |
37 | | -- List directory contents |
38 | | -- Test both RNFS and FileAccess APIs |
39 | | - |
40 | | -### 2. Cross-Instance File Access |
41 | | -- Host tries to read sandbox files |
42 | | -- Sandbox tries to read host files |
43 | | -- Sandbox tries to read other sandbox files |
44 | | - |
45 | | -### 3. File Modification Attacks |
46 | | -- Sandbox attempts to overwrite host files |
47 | | -- Sandbox attempts to modify other sandbox files |
48 | | -- Detection of successful unauthorized modifications |
49 | | - |
50 | | -## 🚨 Security Implications |
51 | | - |
52 | | -This experiment reveals whether: |
53 | | -- File system storage is properly isolated between instances |
54 | | -- One instance can compromise data from another |
55 | | -- Malicious sandbox code could affect the host application |
56 | | -- Cross-sandbox communication is possible via shared files |
57 | | - |
58 | | -## 🚀 Running the Example |
59 | | - |
60 | | -1. Install dependencies: |
61 | | - ```bash |
62 | | - cd apps/fs-experiment |
63 | | - bun install |
64 | | - ``` |
65 | | - |
66 | | -2. Install native dependencies: |
67 | | - ```bash |
68 | | - cd ios && pod install && cd .. |
69 | | - ``` |
70 | | - |
71 | | -3. Run the application: |
72 | | - ```bash |
73 | | - # iOS |
74 | | - bun ios |
75 | | - |
76 | | - # Android |
77 | | - bun android |
78 | | - ``` |
79 | | - |
80 | | -## 📊 Understanding the Results |
81 | | - |
82 | | -- ✅ **Green messages**: Proper isolation working (cannot access other files) |
83 | | -- 🚨 **Red messages**: Security breach detected (unauthorized file access) |
84 | | -- 📝 **Regular logs**: Normal file operations within instance scope |
85 | | - |
86 | | -## ⚠️ Expected vs Concerning Behavior |
87 | | - |
88 | | -### Expected (Secure) Behavior: |
89 | | -- Each instance can only access its own files |
90 | | -- Cross-instance file access should fail |
91 | | -- File modification across instances should be blocked |
92 | | - |
93 | | -### Concerning (Insecure) Behavior: |
94 | | -- Sandbox can read host application files |
95 | | -- Sandbox can modify host application files |
96 | | -- Sandbox instances can access each other's files |
97 | | -- Shared storage without proper isolation |
98 | | - |
99 | | -## 🔧 Technical Details |
| 11 | +The host application creates multiple sandbox instances and demonstrates how to whitelist these modules to enable controlled file system access across instances while maintaining security boundaries. |
100 | 12 |
|
101 | | -The experiment uses: |
102 | | -- Document directory for persistent file storage |
103 | | -- Unique file names per instance (`test_${sandboxId}.txt`) |
104 | | -- Both sync and async file operations |
105 | | -- Directory listing to discover other instance files |
106 | | -- Deliberate cross-instance access attempts |
| 13 | +## Screenshot |
107 | 14 |
|
108 | | -This test helps identify whether the multi-instance architecture properly isolates file system access or if additional security measures are needed. |
| 15 | +<div align="center"> |
| 16 | + <img src="./docs/screenshot.png" width="240" /> |
| 17 | +</div> |
0 commit comments