Skip to content

Commit 62a46d9

Browse files
committedAug 17, 2023
src,permission: restrict by default when pm enabled
PR-URL: #48907 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
1 parent e0fdb7b commit 62a46d9

File tree

2 files changed

+24
-12
lines changed

2 files changed

+24
-12
lines changed
 

‎src/env.cc

+9-11
Original file line numberDiff line numberDiff line change
@@ -797,19 +797,17 @@ Environment::Environment(IsolateData* isolate_data,
797797

798798
if (options_->experimental_permission) {
799799
permission()->EnablePermissions();
800-
// If any permission is set the process shouldn't be able to neither
800+
// The process shouldn't be able to neither
801801
// spawn/worker nor use addons or enable inspector
802802
// unless explicitly allowed by the user
803-
if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) {
804-
options_->allow_native_addons = false;
805-
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
806-
permission()->Apply("*", permission::PermissionScope::kInspector);
807-
if (!options_->allow_child_process) {
808-
permission()->Apply("*", permission::PermissionScope::kChildProcess);
809-
}
810-
if (!options_->allow_worker_threads) {
811-
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
812-
}
803+
options_->allow_native_addons = false;
804+
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
805+
permission()->Apply("*", permission::PermissionScope::kInspector);
806+
if (!options_->allow_child_process) {
807+
permission()->Apply("*", permission::PermissionScope::kChildProcess);
808+
}
809+
if (!options_->allow_worker_threads) {
810+
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
813811
}
814812

815813
if (!options_->allow_fs_read.empty()) {

‎test/parallel/test-permission-inspector.js

+15-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Flags: --experimental-permission --allow-fs-read=*
1+
// Flags: --experimental-permission --allow-fs-read=* --allow-child-process
22
'use strict';
33

44
const common = require('../common');
@@ -7,6 +7,7 @@ common.skipIfInspectorDisabled();
77

88
const { Session } = require('inspector');
99
const assert = require('assert');
10+
const { spawnSync } = require('child_process');
1011

1112
if (!common.hasCrypto)
1213
common.skip('no crypto');
@@ -20,3 +21,16 @@ if (!common.hasCrypto)
2021
permission: 'Inspector',
2122
}));
2223
}
24+
25+
{
26+
const { status, stderr } = spawnSync(
27+
process.execPath,
28+
[
29+
'--experimental-permission',
30+
'-e',
31+
'(new (require("inspector")).Session()).connect()',
32+
],
33+
);
34+
assert.strictEqual(status, 1);
35+
assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
36+
}

0 commit comments

Comments
 (0)
Please sign in to comment.