node/test/parallel/test-permission-inspector.js

// Flags: --experimental-permission --allow-fs-read=* --allow-child-process
'use strict';

const common = require('../common');
common.skipIfWorker();
common.skipIfInspectorDisabled();

const { Session } = require('inspector');
const assert = require('assert');
const { spawnSync } = require('child_process');

if (!common.hasCrypto)
  common.skip('no crypto');

{
  assert.throws(() => {
    const session = new Session();
    session.connect();
  }, common.expectsError({
    code: 'ERR_ACCESS_DENIED',
    permission: 'Inspector',
  }));
}

{
  const { status, stderr } = spawnSync(
    process.execPath,
    [
      '--experimental-permission',
      '-e',
      '(new (require("inspector")).Session()).connect()',
    ],
  );
  assert.strictEqual(status, 1);
  assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
}
src,permission: restrict by default when pm enabled PR-URL: https://github.com/nodejs/node/pull/48907 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2023-07-26 18:32:03 +00:00			`// Flags: --experimental-permission --allow-fs-read=* --allow-child-process`
src,permission: restrict inspector when pm enabled PR-URL: https://github.com/nodejs-private/node-private/pull/410 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1962701 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> CVE-ID: CVE-2023-30587 2023-05-07 16:22:32 +00:00			`'use strict';`

			`const common = require('../common');`
			`common.skipIfWorker();`
			`common.skipIfInspectorDisabled();`

			`const { Session } = require('inspector');`
			`const assert = require('assert');`
src,permission: restrict by default when pm enabled PR-URL: https://github.com/nodejs/node/pull/48907 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2023-07-26 18:32:03 +00:00			`const { spawnSync } = require('child_process');`
src,permission: restrict inspector when pm enabled PR-URL: https://github.com/nodejs-private/node-private/pull/410 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1962701 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> CVE-ID: CVE-2023-30587 2023-05-07 16:22:32 +00:00
			`if (!common.hasCrypto)`
			`common.skip('no crypto');`

			`{`
			`assert.throws(() => {`
			`const session = new Session();`
			`session.connect();`
			`}, common.expectsError({`
			`code: 'ERR_ACCESS_DENIED',`
			`permission: 'Inspector',`
			`}));`
			`}`
src,permission: restrict by default when pm enabled PR-URL: https://github.com/nodejs/node/pull/48907 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2023-07-26 18:32:03 +00:00
			`{`
			`const { status, stderr } = spawnSync(`
			`process.execPath,`
			`[`
			`'--experimental-permission',`
			`'-e',`
			`'(new (require("inspector")).Session()).connect()',`
			`],`
			`);`
			`assert.strictEqual(status, 1);`
			`assert.match(stderr.toString(), /Error: Access to this API has been restricted/);`
			`}`