Skip to content

Commit cf6a089

Browse files
RafaelGSSRafaelGSS
committedJul 24, 2023
src,permission: restrict by default when pm enabled
1 parent 9dd574c commit cf6a089

File tree

2 files changed

+24
-12
lines changed

2 files changed

+24
-12
lines changed
 

‎src/env.cc

+9-11
Original file line numberDiff line numberDiff line change
@@ -850,19 +850,17 @@ Environment::Environment(IsolateData* isolate_data,
850850

851851
if (options_->experimental_permission) {
852852
permission()->EnablePermissions();
853-
// If any permission is set the process shouldn't be able to neither
853+
// The process shouldn't be able to neither
854854
// spawn/worker nor use addons or enable inspector
855855
// unless explicitly allowed by the user
856-
if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) {
857-
options_->allow_native_addons = false;
858-
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
859-
permission()->Apply("*", permission::PermissionScope::kInspector);
860-
if (!options_->allow_child_process) {
861-
permission()->Apply("*", permission::PermissionScope::kChildProcess);
862-
}
863-
if (!options_->allow_worker_threads) {
864-
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
865-
}
856+
options_->allow_native_addons = false;
857+
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
858+
permission()->Apply("*", permission::PermissionScope::kInspector);
859+
if (!options_->allow_child_process) {
860+
permission()->Apply("*", permission::PermissionScope::kChildProcess);
861+
}
862+
if (!options_->allow_worker_threads) {
863+
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
866864
}
867865

868866
if (!options_->allow_fs_read.empty()) {

‎test/parallel/test-permission-inspector.js

+15-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Flags: --experimental-permission --allow-fs-read=*
1+
// Flags: --experimental-permission --allow-fs-read=* --allow-child-process
22
'use strict';
33

44
const common = require('../common');
@@ -7,6 +7,7 @@ common.skipIfInspectorDisabled();
77

88
const { Session } = require('inspector');
99
const assert = require('assert');
10+
const { spawnSync } = require('child_process');
1011

1112
if (!common.hasCrypto)
1213
common.skip('no crypto');
@@ -20,3 +21,16 @@ if (!common.hasCrypto)
2021
permission: 'Inspector',
2122
}));
2223
}
24+
25+
{
26+
const { status, stderr } = spawnSync(
27+
process.execPath,
28+
[
29+
'--experimental-permission',
30+
'-p',
31+
'(new (require("inspector")).Session()).connect()',
32+
],
33+
);
34+
assert.strictEqual(status, 1);
35+
assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
36+
}

0 commit comments

Comments
 (0)