src: add option to disable loading native addons

Backport-PR-URL: #40094
PR-URL: #39977
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Bradley Farias <bradley.meck@gmail.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>

Author: d3lm

doc/api/cli.md

@@ -587,6 +587,15 @@ added: v7.10.0
 
 This option is a no-op. It is kept for compatibility.
 
+### `--no-addons`
+<!-- YAML
+added: REPLACEME
+-->
+
+Disable the `node-addons` exports condition as well as disable loading
+native addons. When `--no-addons` is specified, calling `process.dlopen` or
+requiring a native C++ addon will fail and throw an exception.
+
 ### `--no-deprecation`
 <!-- YAML
 added: v0.8.0
@@ -1357,6 +1366,7 @@ Node.js options that are allowed are:
 * `--inspect`
 * `--max-http-header-size`
 * `--napi-modules`
+* `--no-addons`
 * `--no-deprecation`
 * `--no-force-async-hooks-checks`
 * `--no-warnings`

doc/api/errors.md

@@ -876,6 +876,14 @@ An unknown cipher was specified.
 An unknown Diffie-Hellman group name was given. See
 [`crypto.getDiffieHellman()`][] for a list of valid group names.
 
+<a id="ERR_DLOPEN_DISABLED"></a>
+### `ERR_DLOPEN_DISABLED`
+<!-- YAML
+added: REPLACEME
+-->
+
+Loading native addons has been disabled using [`--no-addons`][].
+
 <a id="ERR_DLOPEN_FAILED"></a>
 ### `ERR_DLOPEN_FAILED`
 <!-- YAML
@@ -2599,6 +2607,7 @@ closed.
 [`'uncaughtException'`]: process.md#process_event_uncaughtexception
 [`--disable-proto=throw`]: cli.md#cli_disable_proto_mode
 [`--force-fips`]: cli.md#cli_force_fips
+[`--no-addons`]: cli.md#cli_no_addons
 [`Class: assert.AssertionError`]: assert.md#assert_class_assert_assertionerror
 [`ERR_INVALID_ARG_TYPE`]: #ERR_INVALID_ARG_TYPE
 [`EventEmitter`]: events.md#events_class_eventemitter

doc/api/packages.md

@@ -477,6 +477,11 @@ Node.js implements the following conditions:
 * `"node"` - matches for any Node.js environment. Can be a CommonJS or ES
    module file. _This condition should always come after `"import"` or
    `"require"`._
+* `"node-addons"` - similar to `"node"` and matches for any Node.js environment.
+   This condition can be used to provide an entry point which uses native C++
+   addons as opposed to an entry point which is more universal and doesn't rely
+   on native addons. This condition can be disabled via the
+   [`--no-addons` flag][].
 * `"default"` - the generic fallback that always matches. Can be a CommonJS
    or ES module file. _This condition should always come last._
 
@@ -555,17 +560,23 @@ node --conditions=development main.js
 ```
 
 which would then resolve the `"development"` condition in package imports and
-exports, while resolving the existing `"node"`, `"default"`, `"import"`, and
-`"require"` conditions as appropriate.
+exports, while resolving the existing `"node"`, `"node-addons"`, `"default"`,
+`"import"`, and `"require"` conditions as appropriate.
 
 Any number of custom conditions can be set with repeat flags.
 
 ### Conditions Definitions
 
-The `"import"`, `"require"`, `"node"` and `"default"` conditions are defined
-and implemented in Node.js core,
+The `"import"`, `"require"`, `"node"`, `"node-addons"` and `"default"`
+conditions are defined and implemented in Node.js core,
 [as specified above](#packages_conditional_exports).
 
+The `"node-addons"` condition can be used to provide an entry point which
+uses native C++ addons. However, this condition can be disabled via the
+[`--no-addons` flag][]. When using `"node-addons"`, it's recommended to treat
+`"default"` as an enhancement that provides a more universal entry point, e.g.
+using WebAssembly instead of a native addon.
+
 Other condition strings are unknown to Node.js and thus ignored by default.
 Runtimes or tools other than Node.js can use them at their discretion.
 
@@ -1161,6 +1172,7 @@ This field defines [subpath imports][] for the current package.
 [`"main"`]: #packages_main
 [`"name"`]: #packages_name
 [`"type"`]: #packages_type
+[`--no-addons` flag]: cli.md#cli_no_addons
 [`ERR_PACKAGE_PATH_NOT_EXPORTED`]: errors.md#errors_err_package_path_not_exported
 [`esm`]: https://github.com/standard-things/esm#readme
 [`package.json`]: #packages_node_js_package_json_field_definitions

doc/node.1

@@ -282,6 +282,11 @@ Silence deprecation warnings.
 Disable runtime checks for `async_hooks`.
 These will still be enabled dynamically when `async_hooks` is enabled.
 .
+.It Fl -no-addons
+Disable the `node-addons` exports condition as well as disable loading native
+addons. When `--no-addons` is specified, calling `process.dlopen` or requiring
+a native C++ addon will fail and throw an exception.
+.
 .It Fl -no-warnings
 Silence all process warnings (including deprecations).
 .

lib/internal/modules/cjs/helpers.js

@@ -29,8 +29,16 @@ let debug = require('internal/util/debuglog').debuglog('module', (fn) => {
   debug = fn;
 });
 
+const noAddons = getOptionValue('--no-addons');
+const addonConditions = noAddons ? [] : ['node-addons'];
+
 // TODO: Use this set when resolving pkg#exports conditions in loader.js.
-const cjsConditions = new SafeSet(['require', 'node', ...userConditions]);
+const cjsConditions = new SafeSet([
+  'require',
+  'node',
+  ...addonConditions,
+  ...userConditions,
+]);
 
 function loadNativeModule(filename, request) {
   const mod = NativeModule.map.get(filename);

lib/internal/modules/esm/resolve.js

@@ -57,7 +57,16 @@ const { Module: CJSModule } = require('internal/modules/cjs/loader');
 
 const packageJsonReader = require('internal/modules/package_json_reader');
 const userConditions = getOptionValue('--conditions');
-const DEFAULT_CONDITIONS = ObjectFreeze(['node', 'import', ...userConditions]);
+const noAddons = getOptionValue('--no-addons');
+const addonConditions = noAddons ? [] : ['node-addons'];
+
+const DEFAULT_CONDITIONS = ObjectFreeze([
+  'node',
+  'import',
+  ...addonConditions,
+  ...userConditions,
+]);
+
 const DEFAULT_CONDITIONS_SET = new SafeSet(DEFAULT_CONDITIONS);
 
 const pendingDeprecation = getOptionValue('--pending-deprecation');

src/env-inl.h

@@ -890,6 +890,11 @@ inline bool Environment::is_main_thread() const {
   return worker_context() == nullptr;
 }
 
+inline bool Environment::no_native_addons() const {
+  return (flags_ & EnvironmentFlags::kNoNativeAddons) ||
+          !options_->allow_native_addons;
+}
+
 inline bool Environment::should_not_register_esm_loader() const {
   return flags_ & EnvironmentFlags::kNoRegisterESMLoader;
 }

src/env.h

@@ -1054,6 +1054,7 @@ class Environment : public MemoryRetainer {
   inline void set_has_serialized_options(bool has_serialized_options);
 
   inline bool is_main_thread() const;
+  inline bool no_native_addons() const;
   inline bool should_not_register_esm_loader() const;
   inline bool owns_process_state() const;
   inline bool owns_inspector() const;

src/node.h

@@ -428,7 +428,13 @@ enum Flags : uint64_t {
   // Set this flag to force hiding console windows when spawning child
   // processes. This is usually used when embedding Node.js in GUI programs on
   // Windows.
-  kHideConsoleWindows = 1 << 5
+  kHideConsoleWindows = 1 << 5,
+  // Set this flag to disable loading native addons via `process.dlopen`.
+  // This environment flag is especially important for worker threads
+  // so that a worker thread can't load a native addon even if `execArgv`
+  // is overwritten and `--no-addons` is not specified but was specified
+  // for this Environment instance.
+  kNoNativeAddons = 1 << 6
 };
 }  // namespace EnvironmentFlags
 

src/node_binding.cc

@@ -413,6 +413,12 @@ inline napi_addon_register_func GetNapiInitializerCallback(DLib* dlib) {
 // cache that's a plain C list or hash table that's shared across contexts?
 void DLOpen(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
+
+  if (env->no_native_addons()) {
+    return THROW_ERR_DLOPEN_DISABLED(
+      env, "Cannot load native addon because loading addons is disabled.");
+  }
+
   auto context = env->context();
 
   CHECK_NULL(thread_local_modpending);