test: add test for loading read-only modules

Adds a test-case to cover loading modules
the user does not have permission to write to.

Covers issue logged in #20112

PR-URL: #20138
Refs: #20112
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Bartosz Sosnowski <bartosz@janeasystems.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

Author: billti

test/parallel/test-module-readonly.js

@@ -0,0 +1,48 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.isWindows) {
+  // TODO: Similar checks on *nix-like systems (e.g using chmod or the like)
+  common.skip('test only runs on Windows');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const cp = require('child_process');
+
+const tmpdir = require('../common/tmpdir');
+tmpdir.refresh();
+
+// Create readOnlyMod.js and set to read only
+const readOnlyMod = path.join(tmpdir.path, 'readOnlyMod');
+const readOnlyModRelative = path.relative(__dirname, readOnlyMod);
+const readOnlyModFullPath = `${readOnlyMod}.js`;
+
+fs.writeFileSync(readOnlyModFullPath, 'module.exports = 42;');
+
+// Removed any inherited ACEs, and any explicitly granted ACEs for the
+// current user
+cp.execSync(
+  `icacls.exe "${readOnlyModFullPath}" /inheritance:r /remove "%USERNAME%"`);
+
+// Grant the current user read & execute only
+cp.execSync(`icacls.exe "${readOnlyModFullPath}" /grant "%USERNAME%":RX`);
+
+let except = null;
+try {
+  // Attempt to load the module. Will fail if write access is required
+  require(readOnlyModRelative);
+} catch (err) {
+  except = err;
+}
+
+// Remove the expliclty granted rights, and reenable inheritance
+cp.execSync(
+  `icacls.exe "${readOnlyModFullPath}" /remove "%USERNAME%" /inheritance:e`);
+
+// Delete the test module (note: tmpdir should get cleaned anyway)
+fs.unlinkSync(readOnlyModFullPath);
+
+assert.ifError(except);