Nodejs/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 10:59:27 +00:00
Code Issues Actions 25 Packages Projects Releases Wiki Activity

src,permission: restrict by default when pm enabled

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/48907
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
This commit is contained in:
Rafael Gonzaga 2023-07-26 15:32:03 -03:00 committed by GitHub
parent bcaf198900
commit 14e7bd84f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/env.cc
View File

@ -844,19 +844,17 @@ Environment::Environment(IsolateData* isolate_data,
if (options_->experimental_permission) {
permission()->EnablePermissions();
// If any permission is set the process shouldn't be able to neither
// The process shouldn't be able to neither
// spawn/worker nor use addons or enable inspector
// unless explicitly allowed by the user
if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) {
options_->allow_native_addons = false;
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
permission()->Apply("*", permission::PermissionScope::kInspector);
if (!options_->allow_child_process) {
permission()->Apply("*", permission::PermissionScope::kChildProcess);
}
if (!options_->allow_worker_threads) {
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
}
options_->allow_native_addons = false;
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
permission()->Apply("*", permission::PermissionScope::kInspector);
if (!options_->allow_child_process) {
permission()->Apply("*", permission::PermissionScope::kChildProcess);
}
if (!options_->allow_worker_threads) {
permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
}
if (!options_->allow_fs_read.empty()) {

16
test/parallel/test-permission-inspector.js
View File

@ -1,4 +1,4 @@
// Flags: --experimental-permission --allow-fs-read=*
// Flags: --experimental-permission --allow-fs-read=* --allow-child-process
'use strict';
const common = require('../common');
@ -7,6 +7,7 @@ common.skipIfInspectorDisabled();
const { Session } = require('inspector');
const assert = require('assert');
const { spawnSync } = require('child_process');
if (!common.hasCrypto)
common.skip('no crypto');
@ -20,3 +21,16 @@ if (!common.hasCrypto)
permission: 'Inspector',
}));
}
{
const { status, stderr } = spawnSync(
process.execPath,
[
'--experimental-permission',
'-e',
'(new (require("inspector")).Session()).connect()',
],
);
assert.strictEqual(status, 1);
assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
}