Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit e44db4d

Browse files
RafaelGSSpluris
authored and
pluris
committedAug 6, 2023
src,permission: restrict by default when pm enabled
PR-URL: nodejs#48907 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
1 parent 43755ac commit e44db4d

File tree

2 files changed

+24
-12
lines changed

2 files changed

+24
-12
lines changed
 

‎src/env.cc

+9-11
Original file line numberDiff line numberDiff line change
@@ -844,19 +844,17 @@ Environment::Environment(IsolateData* isolate_data,
844844

845845
if (options_->experimental_permission) {
846846
permission()->EnablePermissions();
847-
// If any permission is set the process shouldn't be able to neither
847+
// The process shouldn't be able to neither
848848
// spawn/worker nor use addons or enable inspector
849849
// unless explicitly allowed by the user
850-
if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) {
851-
options_->allow_native_addons = false;
852-
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
853-
permission()->Apply("*", permission::PermissionScope::kInspector);
854-
if (!options_->allow_child_process) {
855-
permission()->Apply("*", permission::PermissionScope::kChildProcess);
856-
}
857-
if (!options_->allow_worker_threads) {
858-
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
859-
}
850+
options_->allow_native_addons = false;
851+
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
852+
permission()->Apply("*", permission::PermissionScope::kInspector);
853+
if (!options_->allow_child_process) {
854+
permission()->Apply("*", permission::PermissionScope::kChildProcess);
855+
}
856+
if (!options_->allow_worker_threads) {
857+
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
860858
}
861859

862860
if (!options_->allow_fs_read.empty()) {

‎test/parallel/test-permission-inspector.js

+15-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Flags: --experimental-permission --allow-fs-read=*
1+
// Flags: --experimental-permission --allow-fs-read=* --allow-child-process
22
'use strict';
33

44
const common = require('../common');
@@ -7,6 +7,7 @@ common.skipIfInspectorDisabled();
77

88
const { Session } = require('inspector');
99
const assert = require('assert');
10+
const { spawnSync } = require('child_process');
1011

1112
if (!common.hasCrypto)
1213
common.skip('no crypto');
@@ -20,3 +21,16 @@ if (!common.hasCrypto)
2021
permission: 'Inspector',
2122
}));
2223
}
24+
25+
{
26+
const { status, stderr } = spawnSync(
27+
process.execPath,
28+
[
29+
'--experimental-permission',
30+
'-e',
31+
'(new (require("inspector")).Session()).connect()',
32+
],
33+
);
34+
assert.strictEqual(status, 1);
35+
assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
36+
}

0 commit comments

Comments
 (0)