Skip to content

Commit

Permalink
src,permission: restrict by default when pm enabled
Browse files Browse the repository at this point in the history
PR-URL: nodejs#48907
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
  • Loading branch information
RafaelGSS authored and pluris committed Aug 6, 2023
1 parent 43755ac commit e44db4d
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 12 deletions.
20 changes: 9 additions & 11 deletions src/env.cc
Original file line number Diff line number Diff line change
Expand Up @@ -844,19 +844,17 @@ Environment::Environment(IsolateData* isolate_data,

if (options_->experimental_permission) {
permission()->EnablePermissions();
// If any permission is set the process shouldn't be able to neither
// The process shouldn't be able to neither
// spawn/worker nor use addons or enable inspector
// unless explicitly allowed by the user
if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) {
options_->allow_native_addons = false;
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
permission()->Apply("*", permission::PermissionScope::kInspector);
if (!options_->allow_child_process) {
permission()->Apply("*", permission::PermissionScope::kChildProcess);
}
if (!options_->allow_worker_threads) {
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
}
options_->allow_native_addons = false;
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
permission()->Apply("*", permission::PermissionScope::kInspector);
if (!options_->allow_child_process) {
permission()->Apply("*", permission::PermissionScope::kChildProcess);
}
if (!options_->allow_worker_threads) {
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
}

if (!options_->allow_fs_read.empty()) {
Expand Down
16 changes: 15 additions & 1 deletion test/parallel/test-permission-inspector.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Flags: --experimental-permission --allow-fs-read=*
// Flags: --experimental-permission --allow-fs-read=* --allow-child-process
'use strict';

const common = require('../common');
Expand All @@ -7,6 +7,7 @@ common.skipIfInspectorDisabled();

const { Session } = require('inspector');
const assert = require('assert');
const { spawnSync } = require('child_process');

if (!common.hasCrypto)
common.skip('no crypto');
Expand All @@ -20,3 +21,16 @@ if (!common.hasCrypto)
permission: 'Inspector',
}));
}

{
const { status, stderr } = spawnSync(
process.execPath,
[
'--experimental-permission',
'-e',
'(new (require("inspector")).Session()).connect()',
],
);
assert.strictEqual(status, 1);
assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
}

0 comments on commit e44db4d

Please sign in to comment.