From 29e2adc7d0bb29b2de5f68f59ba8e4e3c467ef82 Mon Sep 17 00:00:00 2001
From: theanarkh <theratliter@gmail.com>
Date: Mon, 10 Jun 2024 04:44:09 +0800
Subject: [PATCH] permission,net,dgram: add permission for net

---
 doc/api/cli.md                                |  54 +++
 doc/api/permissions.md                        |   4 +
 doc/node.1                                    |   3 +
 lib/dgram.js                                  |  63 +++-
 lib/internal/process/pre_execution.js         |   1 +
 node.gyp                                      |   2 +
 src/env.cc                                    |   4 +
 src/node_options.cc                           |   5 +
 src/node_options.h                            |   1 +
 src/permission/net_permission.cc              | 237 ++++++++++++
 src/permission/net_permission.h               |  75 ++++
 src/permission/permission.cc                  |   5 +
 src/permission/permission.h                   |   1 +
 src/permission/permission_base.h              |   7 +-
 .../test-permission-allow-net-udp-socket.js   | 348 ++++++++++++++++++
 .../parallel/test-permission-allow-net-udp.js | 181 +++++++++
 16 files changed, 981 insertions(+), 10 deletions(-)
 create mode 100755 src/permission/net_permission.cc
 create mode 100755 src/permission/net_permission.h
 create mode 100644 test/parallel/test-permission-allow-net-udp-socket.js
 create mode 100644 test/parallel/test-permission-allow-net-udp.js

diff --git a/doc/api/cli.md b/doc/api/cli.md
index cf64f45bfd4d64..6ce6cb57302fcc 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -357,6 +357,57 @@ Error: Access to this API has been restricted
 }
 ```
 
+### `--allow-net-udp`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+When using the [Permission Model][], the process will not be able to create,
+receive, and send UDP packages by default. Attempts to do so will throw an
+`ERR_ACCESS_DENIED` unless the user explicitly passes the `--allow-net-udp` flag
+when starting Node.js.
+
+The argument format is `--allow-net-udp=domain_or_ip[/netmask][:port]`.
+The valid arguments are:
+
+* `*` - To allow all operations.
+* `--allow-net-udp=nodejs.org`
+* `--allow-net-udp=127.0.0.1`
+* `--allow-net-udp=127.0.0.1:8888`
+* `--allow-net-udp=127.0.0.1:*`
+* `--allow-net-udp=*:9999`
+* `--allow-net-udp=127.0.0.1/24:*`
+* `--allow-net-udp=127.0.0.1/255.255.255.0:*`
+* `--allow-net-udp=127.0.0.1:8080 --allow-net-udp=127.0.0.1:9090`
+* `--allow-net-udp=127.0.0.1:8080,localhost:9090`
+
+Example:
+
+```js
+const dgram = require('node:dgram');
+dgram.createSocket('udp4').bind(9297, '127.0.0.1')
+```
+
+```console
+$ node --experimental-permission --allow-fs-read=./index.js index.js
+node:events:498
+      throw er; // Unhandled 'error' event
+      ^
+
+Error [ERR_ACCESS_DENIED]: Access to this API has been restricted. Permission: bind to 127.0.0.1/9297
+    at node:dgram:379:18
+    at process.processTicksAndRejections (node:internal/process/task_queues:77:11)
+Emitted 'error' event on Socket instance at:
+    at afterDns (node:dgram:337:12)
+    at node:dgram:379:9
+    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
+  code: 'ERR_ACCESS_DENIED'
+}
+```
+
 ### `--build-snapshot`
 
 <!-- YAML
@@ -1012,6 +1063,7 @@ following permissions are restricted:
 * Child Process - manageable through [`--allow-child-process`][] flag
 * Worker Threads - manageable through [`--allow-worker`][] flag
 * WASI - manageable through [`--allow-wasi`][] flag
+* UDP - manageable through [`--allow-net-udp`][] flag
 
 ### `--experimental-require-module`
 
@@ -2804,6 +2856,7 @@ one is included in the list below.
 * `--allow-child-process`
 * `--allow-fs-read`
 * `--allow-fs-write`
+* `--allow-net-udp`
 * `--allow-wasi`
 * `--allow-worker`
 * `--conditions`, `-C`
@@ -3356,6 +3409,7 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
 [`--allow-child-process`]: #--allow-child-process
 [`--allow-fs-read`]: #--allow-fs-read
 [`--allow-fs-write`]: #--allow-fs-write
+[`--allow-net-udp`]: #--allow-net-udp
 [`--allow-wasi`]: #--allow-wasi
 [`--allow-worker`]: #--allow-worker
 [`--build-snapshot`]: #--build-snapshot
diff --git a/doc/api/permissions.md b/doc/api/permissions.md
index d994035c808818..b8f2765cd7ae48 100644
--- a/doc/api/permissions.md
+++ b/doc/api/permissions.md
@@ -509,6 +509,8 @@ using the [`--allow-child-process`][] and [`--allow-worker`][] respectively.
 To allow native addons when using permission model, use the [`--allow-addons`][]
 flag. For WASI, use the [`--allow-wasi`][] flag.
 
+For UDP, use [`--allow-net-udp`][] flag.
+
 #### Runtime API
 
 When enabling the Permission Model through the [`--experimental-permission`][]
@@ -575,6 +577,7 @@ There are constraints you need to know before using this system:
   * Inspector protocol
   * File system access
   * WASI
+  * UDP
 * The Permission Model is initialized after the Node.js environment is set up.
   However, certain flags such as `--env-file` or `--openssl-config` are designed
   to read files before environment initialization. As a result, such flags are
@@ -598,6 +601,7 @@ There are constraints you need to know before using this system:
 [`--allow-child-process`]: cli.md#--allow-child-process
 [`--allow-fs-read`]: cli.md#--allow-fs-read
 [`--allow-fs-write`]: cli.md#--allow-fs-write
+[`--allow-net-udp`]: cli.md#--allow-net-udp
 [`--allow-wasi`]: cli.md#--allow-wasi
 [`--allow-worker`]: cli.md#--allow-worker
 [`--experimental-permission`]: cli.md#--experimental-permission
diff --git a/doc/node.1 b/doc/node.1
index 987c7f81610d45..6c15089891e517 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -94,6 +94,9 @@ Allow execution of WASI when using the permission model.
 .It Fl -allow-worker
 Allow creating worker threads when using the permission model.
 .
+.It Fl -allow-net-udp
+Allow create, receive, and, send UDP packages when using the permission model.
+.
 .It Fl -completion-bash
 Print source-able bash completion script for Node.js.
 .
diff --git a/lib/dgram.js b/lib/dgram.js
index 9b411246afc545..df085b61dfc885 100644
--- a/lib/dgram.js
+++ b/lib/dgram.js
@@ -38,6 +38,7 @@ const {
   ErrnoException,
   ExceptionWithHostPort,
   codes: {
+    ERR_ACCESS_DENIED,
     ERR_BUFFER_OUT_OF_BOUNDS,
     ERR_INVALID_ARG_TYPE,
     ERR_INVALID_FD_TYPE,
@@ -81,6 +82,7 @@ const {
 
 const dc = require('diagnostics_channel');
 const udpSocketChannel = dc.channel('udp.socket');
+const permission = require('internal/process/permission');
 
 const BIND_STATE_UNBOUND = 0;
 const BIND_STATE_BINDING = 1;
@@ -327,12 +329,9 @@ Socket.prototype.bind = function(port_, address_ /* , callback */) {
     else
       address = '::';
   }
-
-  // Resolve address first
-  state.handle.lookup(address, (err, ip) => {
+  const afterDns = (err, ip) => {
     if (!state.handle)
       return; // Handle has been closed in the mean time
-
     if (err) {
       state.bindState = BIND_STATE_UNBOUND;
       this.emit('error', err);
@@ -372,7 +371,18 @@ Socket.prototype.bind = function(port_, address_ /* , callback */) {
 
       startListening(this);
     }
-  });
+  };
+  if (permission.isEnabled()) {
+    const resource = `${address}/${port || '*'}`;
+    if (!permission.has('net.udp', resource)) {
+      process.nextTick(() => {
+        afterDns(new ERR_ACCESS_DENIED(`bind to ${resource}`));
+      });
+      return this;
+    }
+  }
+  // Resolve address first
+  state.handle.lookup(address, afterDns);
 
   return this;
 };
@@ -413,13 +423,27 @@ function _connect(port, address, callback) {
     this.once('connect', callback);
 
   const afterDns = (ex, ip) => {
+    if (!ex && !address && permission.isEnabled()) {
+      const resource = `${ip}/${port}`;
+      if (!permission.has('net.udp', resource)) {
+        ex = new ERR_ACCESS_DENIED(`connect to ${resource}`);
+      }
+    }
     defaultTriggerAsyncIdScope(
       this[async_id_symbol],
       doConnect,
       ex, this, ip, address, port, callback,
     );
   };
-
+  if (address && permission.isEnabled()) {
+    const resource = `${address}/${port}`;
+    if (!permission.has('net.udp', resource)) {
+      process.nextTick(() => {
+        afterDns(new ERR_ACCESS_DENIED(`connect to ${resource}`));
+      });
+      return;
+    }
+  }
   state.handle.lookup(address, afterDns);
 }
 
@@ -430,9 +454,13 @@ function doConnect(ex, self, ip, address, port, callback) {
     return;
 
   if (!ex) {
-    const err = state.handle.connect(ip, port);
-    if (err) {
-      ex = new ExceptionWithHostPort(err, 'connect', address, port);
+    try {
+      const err = state.handle.connect(ip, port);
+      if (err) {
+        ex = new ExceptionWithHostPort(err, 'connect', address, port);
+      }
+    } catch (e) {
+      ex = e;
     }
   }
 
@@ -663,6 +691,13 @@ Socket.prototype.send = function(buffer,
   }
 
   const afterDns = (ex, ip) => {
+    // If we have not checked before dns, check it now
+    if (!ex && !connected && !address && permission.isEnabled()) {
+      const resource = `${ip}/${port}`;
+      if (!permission.has('net.udp', resource)) {
+        ex = new ERR_ACCESS_DENIED(`send to ${resource}`);
+      }
+    }
     defaultTriggerAsyncIdScope(
       this[async_id_symbol],
       doSend,
@@ -671,6 +706,16 @@ Socket.prototype.send = function(buffer,
   };
 
   if (!connected) {
+    // If address is not empty, check it
+    if (address && permission.isEnabled()) {
+      const resource = `${address}/${port}`;
+      if (!permission.has('net.udp', resource)) {
+        process.nextTick(() => {
+          afterDns(new ERR_ACCESS_DENIED(`send to ${resource}`));
+        });
+        return;
+      }
+    }
     state.handle.lookup(address, afterDns);
   } else {
     afterDns(null, null);
diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
index 20eaaade5f2b54..81b4ca7fd3dd9b 100644
--- a/lib/internal/process/pre_execution.js
+++ b/lib/internal/process/pre_execution.js
@@ -574,6 +574,7 @@ function initializePermission() {
       '--allow-child-process',
       '--allow-wasi',
       '--allow-worker',
+      '--allow-net-udp',
     ];
     ArrayPrototypeForEach(availablePermissionFlags, (flag) => {
       const value = getOptionValue(flag);
diff --git a/node.gyp b/node.gyp
index ef0c9aa74cbbf1..3970b6dbcb848a 100644
--- a/node.gyp
+++ b/node.gyp
@@ -155,6 +155,7 @@
       'src/permission/permission.cc',
       'src/permission/wasi_permission.cc',
       'src/permission/worker_permission.cc',
+      'src/permission/net_permission.cc',
       'src/pipe_wrap.cc',
       'src/process_wrap.cc',
       'src/signal_wrap.cc',
@@ -280,6 +281,7 @@
       'src/permission/permission.h',
       'src/permission/wasi_permission.h',
       'src/permission/worker_permission.h',
+      'src/permission/net_permission.h',
       'src/pipe_wrap.h',
       'src/req_wrap.h',
       'src/req_wrap-inl.h',
diff --git a/src/env.cc b/src/env.cc
index 73981071f6cce5..09bcd04668ce99 100644
--- a/src/env.cc
+++ b/src/env.cc
@@ -936,6 +936,10 @@ Environment::Environment(IsolateData* isolate_data,
                           options_->allow_fs_write,
                           permission::PermissionScope::kFileSystemWrite);
     }
+    if (!options_->allow_net_udp.empty()) {
+      permission()->Apply(
+          this, options_->allow_net_udp, permission::PermissionScope::kNetUDP);
+    }
   }
 }
 
diff --git a/src/node_options.cc b/src/node_options.cc
index b47ee5fea16e2e..17f2309f935ece 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -464,6 +464,11 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "allow worker threads when any permissions are set",
             &EnvironmentOptions::allow_worker_threads,
             kAllowedInEnvvar);
+  AddOption("--allow-net-udp",
+            "allow host:port or ip:port to bind and connect by UDP socket "
+            "when any permissions are set",
+            &EnvironmentOptions::allow_net_udp,
+            kAllowedInEnvvar);
   AddOption("--experimental-repl-await",
             "experimental await keyword support in REPL",
             &EnvironmentOptions::experimental_repl_await,
diff --git a/src/node_options.h b/src/node_options.h
index d16846facc5af2..029ccbf804ba6a 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -132,6 +132,7 @@ class EnvironmentOptions : public Options {
   bool allow_child_process = false;
   bool allow_wasi = false;
   bool allow_worker_threads = false;
+  std::vector<std::string> allow_net_udp;
   bool experimental_repl_await = true;
   bool experimental_vm_modules = false;
   bool expose_internals = false;
diff --git a/src/permission/net_permission.cc b/src/permission/net_permission.cc
new file mode 100755
index 00000000000000..7b3de0f3e30865
--- /dev/null
+++ b/src/permission/net_permission.cc
@@ -0,0 +1,237 @@
+#include "net_permission.h"
+#include "debug_utils-inl.h"
+#include "json_utils.h"
+#include "util.h"
+
+#include <cctype>
+#include <string>
+#include <string_view>
+#include <vector>
+
+namespace node {
+
+namespace permission {
+
+int is_ip(const std::string& address) {
+  char buf[IPV6_CHAR_LEN];
+  if (uv_inet_pton(AF_INET, address.c_str(), &buf) == 0) {
+    return 4;
+  }
+  if (uv_inet_pton(AF_INET6, address.c_str(), &buf) == 0) {
+    return 6;
+  }
+  return 0;
+}
+
+bool is_digit(const std::string& str) {
+  return !str.empty() && std::all_of(str.begin(), str.end(), ::isdigit);
+}
+
+bool convert_ip_into_bitset(std::bitset<IPV6_BIT_LEN>* bitset,
+                            const std::string& str,
+                            int ip_version) {
+  int family = ip_version == 6 ? AF_INET6 : AF_INET;
+  int char_len = ip_version == 6 ? IPV6_CHAR_LEN : IPV4_CHAR_LEN;
+  int position = 0;
+  char buf[IPV6_CHAR_LEN];
+  // IP(like 127.0.0.1) in buf is [01111111][00000000][00000000][00000001]
+  if (uv_inet_pton(family, str.c_str(), &buf) == 0) {
+    // Handle char by char
+    for (int i = char_len - 1; i >= 0; i--) {
+      // Handle byte by byte
+      for (int j = 0; j < 8; j++) {
+        bitset->set(position++, !!(buf[i] & (1 << j)));
+      }
+    }
+    return true;
+  }
+  return false;
+}
+
+void NetPermission::Apply(Environment* env,
+                          const std::vector<std::string>& allow,
+                          PermissionScope scope) {
+  // For Debug
+  auto cleanup = OnScopeLeave([&]() { Print(); });
+  using std::string_view_literals::operator""sv;
+  for (const std::string& res : allow) {
+    // Allow multiple item in one flag, like --allow-net-udp=127.0.0.1,localhost
+    const std::vector<std::string_view> addresses = SplitString(res, ","sv);
+    for (const auto& address : addresses) {
+      switch (scope) {
+        case PermissionScope::kNetUDP:
+          // address is like *, *:*, host, host:*, host:port, *:port,
+          // host/netmask:port
+          if (address == "*"sv || address == "*:*"sv) {
+            deny_all_udp_ = false;
+            allow_all_udp_ = true;
+            granted_udp_.clear();
+            return;
+          }
+          GrantAccess(scope, address);
+          continue;
+        default:
+          continue;
+      }
+    }
+  }
+}
+
+void NetPermission::GrantAccess(PermissionScope scope,
+                                const std::string_view& param) {
+  std::unique_ptr<ParseResult> result = Parse(param);
+  std::bitset<IPV6_BIT_LEN> ip;
+  std::bitset<IPV6_BIT_LEN> netmask;
+  std::unique_ptr<NetMaskNode> net_mask_node;
+  int ip_version = is_ip(result->address);
+
+  if (ip_version > 0 && !result->netmask.empty()) {
+    if (is_digit(result->netmask)) {  // 127.0.0.1/24
+      int netmask_len = std::stoi(result->netmask);
+      if (netmask_len == 0) {
+        std::cerr << "invalid netmask: " << result->netmask << std::endl;
+        return;
+      }
+      int position = ip_version == 6 ? IPV6_BIT_LEN : IPV4_BIT_LEN;
+      while (netmask_len--) {
+        netmask.set(--position, true);
+      }
+    } else if (!convert_ip_into_bitset(
+                   &netmask,
+                   result->netmask,
+                   ip_version)) {  // 127.0.0.1/255.255.255.0
+      std::cerr << "invalid netmask: " << result->netmask << std::endl;
+      return;
+    }
+    if (!convert_ip_into_bitset(&ip, result->address, ip_version)) {
+      std::cerr << "invalid netmask: " << result->address << std::endl;
+      return;
+    }
+    std::bitset<IPV6_BIT_LEN> network = netmask & ip;
+    net_mask_node = std::make_unique<NetMaskNode>(netmask, network);
+  }
+  auto node = std::make_unique<NetNode>(
+      result->address, result->port, std::move(net_mask_node));
+  granted_udp_.push_back(std::move(node));
+  deny_all_udp_ = false;
+}
+
+bool NetPermission::is_granted(Environment* env,
+                               PermissionScope perm,
+                               const std::string_view& param = "") const {
+  switch (perm) {
+    case PermissionScope::kNetUDP:
+      return !deny_all_udp_ &&
+             (allow_all_udp_ || CheckoutResource(granted_udp_, param));
+    default:
+      return false;
+  }
+}
+
+bool NetPermission::CheckoutResource(
+    const std::vector<std::unique_ptr<NetNode>>& list,
+    const std::string_view& param) const {
+  if (param.empty()) {
+    return false;
+  }
+  using std::string_view_literals::operator""sv;
+  const std::vector<std::string_view> address_port = SplitString(param, "/"sv);
+  int size = address_port.size();
+  CHECK(size == 1 || size == 2);
+  std::string address;
+  std::string port;
+  if (size == 2) {
+    address = address_port[0];
+    port = address_port[1];
+  } else {
+    address = address_port[0];
+    port = "*";
+  }
+  for (uint32_t i = 0; i < list.size(); i++) {
+    auto node = list[i].get();
+    int ip_version = is_ip(address);
+    if (ip_version > 0 && node->net_mask_node) {
+      std::bitset<IPV6_BIT_LEN> ip;
+      if (!convert_ip_into_bitset(&ip, address, ip_version)) {
+        return false;
+      }
+      std::bitset<IPV6_BIT_LEN> network = node->net_mask_node->netmask & ip;
+      if (node->net_mask_node->network == network &&
+          (node->port == "*" || node->port == port)) {
+        return true;
+      }
+    } else if ((node->address == "*" || node->address == address) &&
+               (node->port == "*" || node->port == port)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+std::unique_ptr<NetPermission::ParseResult> NetPermission::Parse(
+    const std::string_view& param) const {
+  using std::string_view_literals::operator""sv;
+  size_t ipv6_idx = param.find("]"sv);
+  bool is_ipv6 = ipv6_idx != std::string::npos;
+  size_t net_mask_idx = param.find("/"sv);
+  bool has_net_mask = net_mask_idx != std::string::npos;
+  size_t port_idx = param.find(":"sv, is_ipv6 ? ipv6_idx : 0);
+  bool has_port = port_idx != std::string::npos;
+  std::string address;
+  std::string net_mask;
+  std::string port;
+  if (is_ipv6) {
+    address = param.substr(1, ipv6_idx - 1);
+  } else {
+    if (has_net_mask) {
+      address = param.substr(0, net_mask_idx);
+    } else if (has_port) {
+      address = param.substr(0, port_idx);
+    } else {
+      address = param;
+    }
+  }
+  if (has_net_mask) {
+    if (has_port) {
+      net_mask = param.substr(net_mask_idx + 1, port_idx - net_mask_idx - 1);
+    } else {
+      net_mask = param.substr(net_mask_idx + 1);
+    }
+  }
+  if (has_port) {
+    port = param.substr(port_idx + 1);
+  }
+  if (port.empty()) {
+    port = "*";
+  }
+  return std::unique_ptr<ParseResult>(new ParseResult(address, net_mask, port));
+}
+
+void NetPermission::Print() const {
+  if (UNLIKELY(per_process::enabled_debug_list.enabled(
+          DebugCategory::PERMISSION_MODEL))) {
+    std::cout << "net-udp-net: " << std::endl;
+    std::cout << "  deny_all_udp_: " << deny_all_udp_ << std::endl;
+    std::cout << "  allow_all_udp_: " << allow_all_udp_ << std::endl;
+    JSONWriter writer(std::cout, false);
+    writer.json_arraystart("Nodes");
+    for (uint32_t i = 0; i < granted_udp_.size(); i++) {
+      auto node = granted_udp_[i].get();
+      writer.json_start();
+      writer.json_keyvalue("address", node->address);
+      writer.json_keyvalue("port", node->port);
+      if (node->net_mask_node) {
+        writer.json_keyvalue("netmask",
+                             node->net_mask_node->netmask.to_string());
+        writer.json_keyvalue("network",
+                             node->net_mask_node->network.to_string());
+      }
+      writer.json_end();
+    }
+    writer.json_arrayend();
+    std::cout << std::endl;
+  }
+}
+
+}  // namespace permission
+}  // namespace node
diff --git a/src/permission/net_permission.h b/src/permission/net_permission.h
new file mode 100755
index 00000000000000..2e88f063884b7f
--- /dev/null
+++ b/src/permission/net_permission.h
@@ -0,0 +1,75 @@
+#ifndef SRC_PERMISSION_NET_PERMISSION_H_
+#define SRC_PERMISSION_NET_PERMISSION_H_
+
+#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+
+#include <bitset>
+#include "permission/permission_base.h"
+#include "uv.h"
+
+namespace node {
+
+namespace permission {
+
+constexpr int IPV4_CHAR_LEN = sizeof(struct in_addr);
+constexpr int IPV6_CHAR_LEN = sizeof(struct in6_addr);
+constexpr int IPV4_BIT_LEN = IPV4_CHAR_LEN << 3;
+constexpr int IPV6_BIT_LEN = IPV6_CHAR_LEN << 3;
+
+class NetPermission final : public PermissionBase {
+ public:
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
+             PermissionScope scope) override;
+  bool is_granted(Environment* env,
+                  PermissionScope perm,
+                  const std::string_view& param) const override;
+
+  struct NetMaskNode {
+    std::bitset<IPV6_BIT_LEN> netmask;
+    std::bitset<IPV6_BIT_LEN> network;
+    explicit NetMaskNode(const std::bitset<IPV6_BIT_LEN>& netmask_,
+                         const std::bitset<IPV6_BIT_LEN>& network_)
+        : netmask(netmask_), network(network_) {}
+  };
+
+  struct NetNode {
+    std::string address;
+    std::string port;
+    std::unique_ptr<NetMaskNode> net_mask_node;
+    explicit NetNode(const std::string& address_,
+                     const std::string& port_,
+                     std::unique_ptr<NetMaskNode> net_mask_node_)
+        : address(address_),
+          port(port_),
+          net_mask_node(std::move(net_mask_node_)) {}
+  };
+
+  struct ParseResult {
+    std::string address;
+    std::string netmask;
+    std::string port;
+    explicit ParseResult(const std::string address_,
+                         const std::string& netmask_,
+                         const std::string& port_)
+        : address(address_), netmask(netmask_), port(port_) {}
+  };
+
+ private:
+  void GrantAccess(PermissionScope scope, const std::string_view& param);
+  bool CheckoutResource(const std::vector<std::unique_ptr<NetNode>>& list,
+                        const std::string_view& param = "") const;
+  std::unique_ptr<ParseResult> Parse(const std::string_view& param) const;
+  void Print() const;
+
+  std::vector<std::unique_ptr<NetNode>> granted_udp_;
+  bool deny_all_udp_ = true;
+  bool allow_all_udp_ = false;
+};
+
+}  // namespace permission
+
+}  // namespace node
+
+#endif  // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+#endif  // SRC_PERMISSION_NET_PERMISSION_H_
diff --git a/src/permission/permission.cc b/src/permission/permission.cc
index ad393df0e38976..010504533d6e2c 100644
--- a/src/permission/permission.cc
+++ b/src/permission/permission.cc
@@ -83,6 +83,7 @@ Permission::Permission() : enabled_(false) {
   std::shared_ptr<PermissionBase> inspector =
       std::make_shared<InspectorPermission>();
   std::shared_ptr<PermissionBase> wasi = std::make_shared<WASIPermission>();
+  std::shared_ptr<PermissionBase> net = std::make_shared<NetPermission>();
 #define V(Name, _, __)                                                         \
   nodes_.insert(std::make_pair(PermissionScope::k##Name, fs));
   FILESYSTEM_PERMISSIONS(V)
@@ -103,6 +104,10 @@ Permission::Permission() : enabled_(false) {
   nodes_.insert(std::make_pair(PermissionScope::k##Name, wasi));
   WASI_PERMISSIONS(V)
 #undef V
+#define V(Name, _, __)                                                         \
+  nodes_.insert(std::make_pair(PermissionScope::k##Name, net));
+  NET_PERMISSIONS(V)
+#undef V
 }
 
 Local<Value> CreateAccessDeniedError(Environment* env,
diff --git a/src/permission/permission.h b/src/permission/permission.h
index 55309b6ba551c2..a1bff1579cc79d 100644
--- a/src/permission/permission.h
+++ b/src/permission/permission.h
@@ -8,6 +8,7 @@
 #include "permission/child_process_permission.h"
 #include "permission/fs_permission.h"
 #include "permission/inspector_permission.h"
+#include "permission/net_permission.h"
 #include "permission/permission_base.h"
 #include "permission/wasi_permission.h"
 #include "permission/worker_permission.h"
diff --git a/src/permission/permission_base.h b/src/permission/permission_base.h
index d4ab33d10142f2..297bb035f64ef0 100644
--- a/src/permission/permission_base.h
+++ b/src/permission/permission_base.h
@@ -28,12 +28,17 @@ namespace permission {
 
 #define INSPECTOR_PERMISSIONS(V) V(Inspector, "inspector", PermissionsRoot)
 
+#define NET_PERMISSIONS(V)                                                     \
+  V(Net, "net", PermissionsRoot)                                               \
+  V(NetUDP, "net.udp", Net)
+
 #define PERMISSIONS(V)                                                         \
   FILESYSTEM_PERMISSIONS(V)                                                    \
   CHILD_PROCESS_PERMISSIONS(V)                                                 \
   WASI_PERMISSIONS(V)                                                          \
   WORKER_THREADS_PERMISSIONS(V)                                                \
-  INSPECTOR_PERMISSIONS(V)
+  INSPECTOR_PERMISSIONS(V)                                                     \
+  NET_PERMISSIONS(V)
 
 #define V(name, _, __) k##name,
 enum class PermissionScope {
diff --git a/test/parallel/test-permission-allow-net-udp-socket.js b/test/parallel/test-permission-allow-net-udp-socket.js
new file mode 100644
index 00000000000000..437cf7767cbb20
--- /dev/null
+++ b/test/parallel/test-permission-allow-net-udp-socket.js
@@ -0,0 +1,348 @@
+'use strict';
+
+const common = require('../common');
+const { spawnSync } = require('child_process');
+const assert = require('assert');
+
+common.skipIfWorker();
+
+{
+  const example = () => {
+    const assert = require('node:assert');
+    const dgram = require('dgram');
+
+    const tests = [
+      // [port, ip]
+      [],
+      [9999],
+      [9999, '127.0.0.1'],
+      [9999, 'localhost'],
+    ];
+
+    tests.forEach((test, i) => {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(test[0], test[1]).on('error', (err) => {
+        assert.ok(err.code === 'ERR_ACCESS_DENIED', err.message);
+        socket.close();
+      });
+    });
+  };
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '-e',
+      `(${example.toString()})()`,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const example = () => {
+    const assert = require('assert');
+    const dgram = require('dgram');
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind().on('listening', (err) => {
+        assert.ok(!err);
+        socket.close();
+      });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(9999)
+        .on('listening', () => {
+          socket.close();
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(9999, 'localhost')
+        .on('listening', () => {
+          socket.close();
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.connect(9999, '127.0.0.1', (err) => {
+        if (err) {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+        }
+        socket.close();
+      });
+    }
+  };
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=*',
+      '-e',
+      `(${example.toString()})()`,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const example = () => {
+    const assert = require('assert');
+    const dgram = require('dgram');
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(5555, '127.0.0.1')
+        .on('listening', () => {
+          socket.close();
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(6666, 'localhost')
+        .on('error', (err) => {
+          assert.ok(err.code === 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(7777, '127.0.0.1')
+        .on('listening', () => {
+          socket.connect(8888, '127.0.0.1', (err) => {
+            if (err) {
+              assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+            }
+            socket.close();
+          });
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(9999, '127.0.0.1')
+        .on('listening', () => {
+          socket.connect(10000, 'localhost', (err) => {
+            assert.ok(err.code === 'ERR_ACCESS_DENIED', err.message);
+            socket.close();
+          });
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+  };
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=127.0.0.1:*',
+      '-e',
+      `(${example.toString()})()`,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const example = () => {
+    const assert = require('assert');
+    const dgram = require('dgram');
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(9999, '127.0.0.2')
+        .on('listening', () => {
+          socket.close();
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(8888, '127.0.0.2')
+        .on('error', (err) => {
+          assert.ok(err.code === 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(9999, '127.0.0.1')
+        .on('listening', () => {
+          socket.connect(9999, '127.0.0.1', (err) => {
+            if (err) {
+              assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+            }
+            socket.close();
+          });
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(9999, 'localhost')
+        .on('listening', () => {
+          socket.connect(10000, 'localhost', (err) => {
+            assert.ok(err.code === 'ERR_ACCESS_DENIED', err.message);
+            socket.close();
+          });
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+  };
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=*:9999',
+      '-e',
+      `(${example.toString()})()`,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const example = () => {
+    const assert = require('assert');
+    const dgram = require('dgram');
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(12345, '127.0.0.1')
+        .on('listening', () => {
+          socket.close();
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(7777, 'localhost')
+        .on('listening', () => {
+          socket.close();
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(9999, 'localhost')
+        .on('error', (err) => {
+          assert.ok(err.code === 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(8888, '127.0.0.1');
+      socket.connect(9999, '127.0.0.2', (err) => {
+        assert.ok(err.code === 'ERR_ACCESS_DENIED', err.message);
+        socket.close();
+      });
+    }
+  };
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=127.0.0.1:*',
+      '--allow-net-udp=localhost:7777,localhost:8888',
+      '-e',
+      `(${example.toString()})()`,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const example = () => {
+    const assert = require('assert');
+    const dgram = require('dgram');
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(9999, '127.255.0.2')
+        .on('listening', () => {
+          socket.close();
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(8888, '1:1:1:1:1:1:1:2')
+        .on('listening', () => {
+          socket.close();
+        })
+        .on('error', (err) => {
+          assert.ok(err.code !== 'ERR_ACCESS_DENIED', err.message);
+          socket.close();
+        });
+    }
+    {
+      const socket = dgram.createSocket('udp4');
+      socket.bind(7777, '127.0.0.1', (err) => {
+        assert.ok(err.code === 'ERR_ACCESS_DENIED', err.message);
+        socket.close();
+      });
+    }
+  };
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=127.255.0.1/16:9999',
+      '--allow-net-udp=127.255.0.1/16:9999',
+      '--allow-net-udp=[1:1:1:1:1:1:1:1]/8:8888',
+      '-e',
+      `(${example.toString()})()`,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
diff --git a/test/parallel/test-permission-allow-net-udp.js b/test/parallel/test-permission-allow-net-udp.js
new file mode 100644
index 00000000000000..9940242fa91408
--- /dev/null
+++ b/test/parallel/test-permission-allow-net-udp.js
@@ -0,0 +1,181 @@
+'use strict';
+
+const common = require('../common');
+
+const { spawnSync } = require('child_process');
+const assert = require('assert');
+
+common.skipIfWorker();
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '-e',
+      `
+        const assert = require('assert');
+        assert.ok(!process.permission.has('net.udp'));
+        assert.ok(!process.permission.has('net.udp', 'localhost'));
+        assert.ok(!process.permission.has('net.udp', '127.0.0.1/*'));
+        assert.ok(!process.permission.has('net.udp', '127.0.0.1/9999'));
+        assert.ok(!process.permission.has('net.udp', '*/9999'));
+        assert.ok(!process.permission.has('net.udp', '::1/*'));
+        assert.ok(!process.permission.has('net.udp', '::1/9999'));
+      `,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=*',
+      '-e',
+      `
+        const assert = require('assert');
+        assert.ok(process.permission.has('net.udp'));
+        assert.ok(process.permission.has('net.udp', 'localhost'));
+        assert.ok(process.permission.has('net.udp', '127.0.0.1/*'));
+        assert.ok(process.permission.has('net.udp', '127.0.0.1/9999'));
+        assert.ok(process.permission.has('net.udp', '*/9999'));
+        assert.ok(process.permission.has('net.udp', '::1/*'));
+        assert.ok(process.permission.has('net.udp', '::1/9999'));
+      `,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=*:9999',
+      '-e',
+      `
+        const assert = require('assert');
+        assert.ok(process.permission.has('net.udp', '127.0.0.1/9999'));
+        assert.ok(process.permission.has('net.udp', '*/9999'));
+        assert.ok(process.permission.has('net.udp', '::1/9999'));
+        assert.ok(!process.permission.has('net.udp', '127.0.0.1/8888'));
+      `,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=127.0.0.1:*',
+      '--allow-net-udp=[::1]:*',
+      '-e',
+      `
+        const assert = require('assert');
+        assert.ok(process.permission.has('net.udp', '127.0.0.1/9999'));
+        assert.ok(process.permission.has('net.udp', '127.0.0.1/*'));
+        assert.ok(process.permission.has('net.udp', '::1/9999'));
+        assert.ok(process.permission.has('net.udp', '::1/*'));
+        assert.ok(!process.permission.has('net.udp', '127.0.0.2/9999'));
+        assert.ok(!process.permission.has('net.udp', '::2/9999'));
+      `,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=127.0.0.1:9999',
+      '--allow-net-udp=[::1]:9999',
+      '-e',
+      `
+        const assert = require('assert');
+        assert.ok(process.permission.has('net.udp', '127.0.0.1/9999'));
+        assert.ok(process.permission.has('net.udp', '::1/9999'));
+        assert.ok(!process.permission.has('net.udp', '127.0.0.2/9999'));
+        assert.ok(!process.permission.has('net.udp', '127.0.0.1/8888'));
+        assert.ok(!process.permission.has('net.udp', '::2/9999'));
+        assert.ok(!process.permission.has('net.udp', '::1/8888'));
+      `,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=127.0.0.1:5555,[::1]:6666',
+      '--allow-net-udp=127.0.0.2:8888,[::1]:9999',
+      '-e',
+      `
+        const assert = require('assert');
+        assert.ok(process.permission.has('net.udp', '127.0.0.1/5555'));
+        assert.ok(process.permission.has('net.udp', '::1/6666'));
+        assert.ok(process.permission.has('net.udp', '127.0.0.2/8888'));
+        assert.ok(process.permission.has('net.udp', '::1/9999'));
+        assert.ok(!process.permission.has('net.udp', '127.0.0.1/7777'));
+        assert.ok(!process.permission.has('net.udp', '::2/9999'));
+      `,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '--allow-net-udp=127.255.255.1/8:9999',
+      '--allow-net-udp=128.255.255.1/255.255.0.0:*',
+      '--allow-net-udp=[1:1:1:1:1:1:1:1]/16',
+      '-e',
+      `
+        const assert = require('assert');
+        assert.ok(process.permission.has('net.udp', '127.1.1.1/9999'));
+        assert.ok(process.permission.has('net.udp', '127.1.1.2/9999'));
+        assert.ok(!process.permission.has('net.udp', '127.1.1.2/8888'));
+        assert.ok(process.permission.has('net.udp', '128.255.0.0/9999'));
+        assert.ok(!process.permission.has('net.udp', '128.254.0.0/9999'));
+        assert.ok(process.permission.has('net.udp', '1:2:1:1:1:1:1:1/6666'));
+        assert.ok(!process.permission.has('net.udp', '0:1:1:1:1:1:1:1/6666'));
+      `,
+    ]
+  );
+  if (status !== 0) {
+    console.error(stderr.toString());
+  }
+  assert.strictEqual(status, 0);
+}