Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

permission: v8.writeHeapSnapshot and process.report #48564

Merged
merged 2 commits into from
Jul 4, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions lib/internal/process/report.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
const {
ERR_SYNTHETIC,
} = require('internal/errors').codes;
const { getValidatedPath } = require('internal/fs/utils');
const {
validateBoolean,
validateObject,
Expand All @@ -19,6 +20,7 @@ const report = {
file = undefined;
} else if (file !== undefined) {
validateString(file, 'file');
file = getValidatedPath(file);
}

if (err === undefined) {
Expand Down
5 changes: 5 additions & 0 deletions src/heap_utils.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
#include "env-inl.h"
#include "memory_tracker-inl.h"
#include "node_external_reference.h"
#include "permission/permission.h"
#include "stream_base-inl.h"
#include "util-inl.h"

Expand Down Expand Up @@ -454,6 +455,8 @@ void TriggerHeapSnapshot(const FunctionCallbackInfo<Value>& args) {

if (filename_v->IsUndefined()) {
DiagnosticFilename name(env, "Heap", "heapsnapshot");
THROW_IF_INSUFFICIENT_PERMISSIONS(
env, permission::PermissionScope::kFileSystemWrite, env->GetCwd());
if (WriteSnapshot(env, *name, options).IsNothing()) return;
if (String::NewFromUtf8(isolate, *name).ToLocal(&filename_v)) {
args.GetReturnValue().Set(filename_v);
Expand All @@ -463,6 +466,8 @@ void TriggerHeapSnapshot(const FunctionCallbackInfo<Value>& args) {

BufferValue path(isolate, filename_v);
CHECK_NOT_NULL(*path);
THROW_IF_INSUFFICIENT_PERMISSIONS(
env, permission::PermissionScope::kFileSystemWrite, path.ToStringView());
if (WriteSnapshot(env, *path, options).IsNothing()) return;
return args.GetReturnValue().Set(filename_v);
}
Expand Down
10 changes: 10 additions & 0 deletions src/node_report.cc
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
#include "node_metadata.h"
#include "node_mutex.h"
#include "node_worker.h"
#include "permission/permission.h"
#include "util.h"

#ifdef _WIN32
Expand Down Expand Up @@ -856,6 +857,8 @@ std::string TriggerNodeReport(Isolate* isolate,
// Determine the required report filename. In order of priority:
// 1) supplied on API 2) configured on startup 3) default generated
if (!name.empty()) {
THROW_IF_INSUFFICIENT_PERMISSIONS(
env, permission::PermissionScope::kFileSystemWrite, name, name);
// Filename was specified as API parameter.
filename = name;
} else {
Expand All @@ -871,6 +874,13 @@ std::string TriggerNodeReport(Isolate* isolate,
filename = *DiagnosticFilename(
RafaelGSS marked this conversation as resolved.
Show resolved Hide resolved
env != nullptr ? env->thread_id() : 0, "report", "json");
}
if (env != nullptr) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not entirely sure about when the env is null. Would that happen only when OOM or another crash reporter happens? If so, what would be the best way to throw an exception here?

Maybe @gireeshpunathil has some thoughts on this?

THROW_IF_INSUFFICIENT_PERMISSIONS(
env,
permission::PermissionScope::kFileSystemWrite,
std::string_view(env->GetCwd()),
filename);
}
}

// Open the report file stream for writing. Supports stdout/err,
Expand Down
30 changes: 30 additions & 0 deletions test/parallel/test-permission-fs-write-report.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
// Flags: --experimental-permission --allow-fs-read=*
'use strict';

const common = require('../common');
common.skipIfWorker();
if (!common.hasCrypto)
common.skip('no crypto');

const assert = require('assert');
const path = require('path');

{
assert.throws(() => {
process.report.writeReport('./secret.txt');
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemWrite',
resource: path.resolve('./secret.txt'),
}));
}

{
assert.throws(() => {
process.report.writeReport();
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemWrite',
resource: process.cwd(),
}));
}
30 changes: 30 additions & 0 deletions test/parallel/test-permission-fs-write-v8.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
// Flags: --experimental-permission --allow-fs-read=*
'use strict';

const common = require('../common');
common.skipIfWorker();
if (!common.hasCrypto)
common.skip('no crypto');

const assert = require('assert');
const v8 = require('v8');
const path = require('path');

{
assert.throws(() => {
v8.writeHeapSnapshot('./secret.txt');
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemWrite',
resource: path.toNamespacedPath(path.resolve('./secret.txt')),
}));
}

{
assert.throws(() => {
v8.writeHeapSnapshot();
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemWrite',
}));
}