From 06fbbb8dc0866b5b420a7d043c75cbe8423094c4 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Wed, 26 Jul 2023 15:32:03 -0300 Subject: [PATCH] src,permission: restrict by default when pm enabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/48907 Reviewed-By: Luigi Pinca Reviewed-By: Michaƫl Zasso Reviewed-By: Paolo Insogna Reviewed-By: Marco Ippolito --- src/env.cc | 20 +++++++++----------- test/parallel/test-permission-inspector.js | 16 +++++++++++++++- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/src/env.cc b/src/env.cc index b4335cc9dacb71..8053f8823e8b72 100644 --- a/src/env.cc +++ b/src/env.cc @@ -844,19 +844,17 @@ Environment::Environment(IsolateData* isolate_data, if (options_->experimental_permission) { permission()->EnablePermissions(); - // If any permission is set the process shouldn't be able to neither + // The process shouldn't be able to neither // spawn/worker nor use addons or enable inspector // unless explicitly allowed by the user - if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) { - options_->allow_native_addons = false; - flags_ = flags_ | EnvironmentFlags::kNoCreateInspector; - permission()->Apply("*", permission::PermissionScope::kInspector); - if (!options_->allow_child_process) { - permission()->Apply("*", permission::PermissionScope::kChildProcess); - } - if (!options_->allow_worker_threads) { - permission()->Apply("*", permission::PermissionScope::kWorkerThreads); - } + options_->allow_native_addons = false; + flags_ = flags_ | EnvironmentFlags::kNoCreateInspector; + permission()->Apply("*", permission::PermissionScope::kInspector); + if (!options_->allow_child_process) { + permission()->Apply("*", permission::PermissionScope::kChildProcess); + } + if (!options_->allow_worker_threads) { + permission()->Apply("*", permission::PermissionScope::kWorkerThreads); } if (!options_->allow_fs_read.empty()) { diff --git a/test/parallel/test-permission-inspector.js b/test/parallel/test-permission-inspector.js index f9d2ce53639945..d4afd8d93bc2f7 100644 --- a/test/parallel/test-permission-inspector.js +++ b/test/parallel/test-permission-inspector.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --experimental-permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -7,6 +7,7 @@ common.skipIfInspectorDisabled(); const { Session } = require('inspector'); const assert = require('assert'); +const { spawnSync } = require('child_process'); if (!common.hasCrypto) common.skip('no crypto'); @@ -20,3 +21,16 @@ if (!common.hasCrypto) permission: 'Inspector', })); } + +{ + const { status, stderr } = spawnSync( + process.execPath, + [ + '--experimental-permission', + '-e', + '(new (require("inspector")).Session()).connect()', + ], + ); + assert.strictEqual(status, 1); + assert.match(stderr.toString(), /Error: Access to this API has been restricted/); +}