permission: propagate permission model flags on spawn #58853
Merged
+171
−18
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Review requested:
|
nodejs-github-bot
added
child_process
|
Since |
RafaelGSS
added
the
semver-minor
RafaelGSS
force-pushed
the
inherit-pm-to-child-process
branch
from
a397ace to
ecf6a03
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #58853 +/- ##
==========================================
- Coverage 90.11% 90.07% -0.04%
==========================================
Files 640 640
Lines 188363 188485 +122
Branches 36931 36965 +34
==========================================
+ Hits 169739 169784 +45
- Misses 11341 11390 +49
- Partials 7283 7311 +28
🚀 New features to boost your workflow:
|
RafaelGSS
added
request-ci
|
The
notable-change
Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section. |
|
Adding notable-change label as it will impact current users of |
github-actions
bot
removed
the
request-ci
RafaelGSS
force-pushed
the
inherit-pm-to-child-process
branch
from
ecf6a03 to
29b915a
Compare
jasnell
reviewed
Jun 27, 2025
|
|
||
| function copyPermissionModelFlagsToEnv(env, key, args) { | ||
| // Do not override if permission was already passed to file | ||
| if (args.includes('--permission') || (env[key] && env[key].indexOf('--permission') !== -1)) { |
There was a problem hiding this comment.
You can simplify this expression a bit with...
env?.[key]?.indexOf(...)There was a problem hiding this comment.
How? We need to compare the result with !== -1 and also handle the case when the key is undefined. Leaving it as env?.[key]?.indexOf('--permission') might return 0, which is truthy in this case, so I don't see how using env?.[key]?.indexOf(...) would simplify this.
There was a problem hiding this comment.
I think it's possible with the dark arts:
if (!~env?.[key]?.indexOf('--permission'))if (!~undefined) // no match
if (!~-1) // match
if (!~0) // no match
if (!~1) // no matchNot saying you should do this, but you can.
There was a problem hiding this comment.
I don't think you are correct
!~({'foo': '--permission'})?.['foo'].indexOf('--permission') // false
!~({'foo': '--permission'})?.['foo2']?.indexOf('--permission') // false
({'foo': '--permission'})?.['foo'].indexOf('--permission') // 0
There was a problem hiding this comment.
the problem is ~undefined returns -1 which is truthy (just like when it is being found), so ~ doesnt work well in this case. I had the same thought
Previously, only child_process.fork propagated the exec arguments (execvArgs) to the child process. This commit adds support for spawn and spawnSync to propagate permission model flags — except when they are already provided explicitly via arguments or through NODE_OPTIONS. Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
RafaelGSS
force-pushed
the
inherit-pm-to-child-process
branch
from
29b915a to
1f5354a
Compare
|
PTAL @nodejs/security-wg |
RafaelGSS
added
the
author ready
Comment on lines
+38
to
+44
| '--allow-fs-read', | ||
| '--allow-fs-write', | ||
| '--allow-addons', | ||
| '--allow-child-process', | ||
| '--allow-net', | ||
| '--allow-wasi', | ||
| '--allow-worker', |
There was a problem hiding this comment.
nit: If sequence doesn't matter, I think it would be better (grokability) to alphabetise them.
H4ad
reviewed
Jun 30, 2025
| for (const arg of process.execArgv) { | ||
| for (const flag of flagsToCopy) { | ||
| if (arg.startsWith(flag)) { | ||
| env[key] = `${env[key] ? env[key] + ' ' + arg : arg}`; |
There was a problem hiding this comment.
Is this a safe operation? I mean, if I do something like node --permission --allow-fs-read="/tmp" --allow-fs-write=a\ --allow-fs-read="/home" -e 'console.log(process.execArgv)'
There was a problem hiding this comment.
Yes. That works as expected. See:
const { spawnSync } = require('node:child_process')
const out = spawnSync(process.execPath, ['-p', '1 + 1'], { env: {
'NODE_DEBUG_NATIVE': 'PERMISSION_MODEL'
} })
console.log(out.status)
console.log(out.stdout.toString())0
Inserting /tmp/*
Inserting /home/*
Inserting /Users/rafaelgss/repos/os/node/a
In any case, escaping characters is the user's responsibility, so I wouldn't worry much about it.
There was a problem hiding this comment.
Hm... I thought "\ " was not allowed, but it seems it is.
UlisesGascon
approved these changes
Jul 1, 2025
RafaelGSS
added
the
commit-queue
nodejs-github-bot
removed
the
commit-queue
|
Landed in 8173d9d |
targos
pushed a commit
that referenced
this pull request
Jul 3, 2025
Previously, only child_process.fork propagated the exec arguments (execvArgs) to the child process. This commit adds support for spawn and spawnSync to propagate permission model flags — except when they are already provided explicitly via arguments or through NODE_OPTIONS. Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #58853 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
nodejs-github-bot
added a commit
that referenced
this pull request
Jul 8, 2025
Notable changes: crypto: * (SEMVER-MINOR) support outputLength option in crypto.hash for XOF functions (Aditi) #58121 doc: * (SEMVER-MINOR) add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719 fs: * (SEMVER-MINOR) add disposable mkdtempSync (Kevin Gibbons) #58516 permission: * (SEMVER-MINOR) propagate permission model flags on spawn (Rafael Gonzaga) #58853 sqlite: * (SEMVER-MINOR) add support for readBigInts option in db connection level (Miguel Marcondes Filho) #58697 src,permission: * (SEMVER-MINOR) add support to permission.has(addon) (Rafael Gonzaga) #58951 watch: * (SEMVER-MINOR) add `--watch-kill-signal` flag (Dario Piotrowicz) #58719 PR-URL: #58993
RafaelGSS
pushed a commit
that referenced
this pull request
Jul 9, 2025
Notable changes: crypto: * (SEMVER-MINOR) support outputLength option in crypto.hash for XOF functions (Aditi) #58121 doc: * (SEMVER-MINOR) add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719 fs: * (SEMVER-MINOR) add disposable mkdtempSync (Kevin Gibbons) #58516 permission: * (SEMVER-MINOR) propagate permission model flags on spawn (Rafael Gonzaga) #58853 sqlite: * (SEMVER-MINOR) add support for readBigInts option in db connection level (Miguel Marcondes Filho) #58697 src,permission: * (SEMVER-MINOR) add support to permission.has(addon) (Rafael Gonzaga) #58951 watch: * (SEMVER-MINOR) add `--watch-kill-signal` flag (Dario Piotrowicz) #58719 PR-URL: #58993
aduh95
pushed a commit
that referenced
this pull request
Jul 21, 2025
Previously, only child_process.fork propagated the exec arguments (execvArgs) to the child process. This commit adds support for spawn and spawnSync to propagate permission model flags — except when they are already provided explicitly via arguments or through NODE_OPTIONS. Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #58853 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
aduh95
pushed a commit
that referenced
this pull request
Jul 24, 2025
Previously, only child_process.fork propagated the exec arguments (execvArgs) to the child process. This commit adds support for spawn and spawnSync to propagate permission model flags — except when they are already provided explicitly via arguments or through NODE_OPTIONS. Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #58853 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
aduh95
pushed a commit
that referenced
this pull request
Jul 27, 2025
Previously, only child_process.fork propagated the exec arguments (execvArgs) to the child process. This commit adds support for spawn and spawnSync to propagate permission model flags — except when they are already provided explicitly via arguments or through NODE_OPTIONS. Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #58853 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
nodejs-github-bot
added a commit
that referenced
this pull request
Jul 28, 2025
Notable changes: deps: * (SEMVER-MINOR) update amaro to 1.1.0 (Node.js GitHub Bot) #56350 * (SEMVER-MINOR) update amaro to 1.0.0 (Node.js GitHub Bot) #56350 * (SEMVER-MINOR) update amaro to 0.5.3 (Node.js GitHub Bot) #56350 * (SEMVER-MINOR) update amaro to 0.5.2 (Node.js GitHub Bot) #56350 * (SEMVER-MINOR) update amaro to 0.5.1 (Marco Ippolito) #56350 * (SEMVER-MINOR) update amaro to 0.5.0 (nodejs-github-bot) #56350 doc: * (SEMVER-MINOR) add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719 * add islandryu to collaborators (Shima Ryuhei) #58714 * (SEMVER-MINOR) add history entries to `--input-type` section (Antoine du Hamel) #56350 esm: * (SEMVER-MINOR) implement import.meta.main (Joe) #57804 fs: * (SEMVER-MINOR) allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490 module: * (SEMVER-MINOR) improve typescript error message format (Marco Ippolito) #56350 * (SEMVER-MINOR) remove experimental warning from type stripping (Marco Ippolito) #56350 * (SEMVER-MINOR) refactor commonjs typescript loader (Marco Ippolito) #56350 * (SEMVER-MINOR) unflag --experimental-strip-types (Marco Ippolito) #56350 permission: * (SEMVER-MINOR) propagate permission model flags on spawn (Rafael Gonzaga) #58853 sqlite: * (SEMVER-MINOR) add support for readBigInts option in db connection level (Miguel Marcondes Filho) #58697 src,permission: * (SEMVER-MINOR) add support to permission.has(addon) (Rafael Gonzaga) #58951 test: * (SEMVER-MINOR) add test for async disposable worker thread (James M Snell) #58385 url: * (SEMVER-MINOR) add fileURLToPathBuffer API (James M Snell) #58700 watch: * (SEMVER-MINOR) add `--watch-kill-signal` flag (Dario Piotrowicz) #58719 worker: * (SEMVER-MINOR) make Worker async disposable (James M Snell) #58385 PR-URL: #59256
aduh95
added a commit
that referenced
this pull request
Jul 28, 2025
Notable changes: deps: * (SEMVER-MINOR) update amaro to 1.1.0 (Node.js GitHub Bot) #56350 doc: * add islandryu to collaborators (Shima Ryuhei) #58714 esm: * (SEMVER-MINOR) implement `import.meta.main` (Joe) #57804 fs: * (SEMVER-MINOR) allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490 module: * (SEMVER-MINOR) remove experimental warning from type stripping (Marco Ippolito) #56350 * (SEMVER-MINOR) unflag `--experimental-strip-types` (Marco Ippolito) #56350 permission: * (SEMVER-MINOR) propagate permission model flags on spawn (Rafael Gonzaga) #58853 sqlite: * (SEMVER-MINOR) add support for `readBigInts` option in db connection level (Miguel Marcondes Filho) #58697 src,permission: * (SEMVER-MINOR) add support to `permission.has(addon)` (Rafael Gonzaga) #58951 url: * (SEMVER-MINOR) add `fileURLToPathBuffer` API (James M Snell) #58700 watch: * (SEMVER-MINOR) add `--watch-kill-signal` flag (Dario Piotrowicz) #58719 worker: * (SEMVER-MINOR) make `Worker` async disposable (James M Snell) #58385 PR-URL: #59256 Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
added a commit
that referenced
this pull request
Jul 31, 2025
Notable changes: deps: * (SEMVER-MINOR) update amaro to 1.1.0 (Node.js GitHub Bot) #56350 doc: * add islandryu to collaborators (Shima Ryuhei) #58714 esm: * (SEMVER-MINOR) implement `import.meta.main` (Joe) #57804 fs: * (SEMVER-MINOR) allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490 module: * (SEMVER-MINOR) remove experimental warning from type stripping (Marco Ippolito) #56350 * (SEMVER-MINOR) unflag `--experimental-strip-types` (Marco Ippolito) #56350 permission: * (SEMVER-MINOR) propagate permission model flags on spawn (Rafael Gonzaga) #58853 sqlite: * (SEMVER-MINOR) add support for `readBigInts` option in db connection level (Miguel Marcondes Filho) #58697 src,permission: * (SEMVER-MINOR) add support to `permission.has(addon)` (Rafael Gonzaga) #58951 url: * (SEMVER-MINOR) add `fileURLToPathBuffer` API (James M Snell) #58700 watch: * (SEMVER-MINOR) add `--watch-kill-signal` flag (Dario Piotrowicz) #58719 worker: * (SEMVER-MINOR) make `Worker` async disposable (James M Snell) #58385 PR-URL: #59256 Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
added a commit
that referenced
this pull request
Jul 31, 2025
Notable changes: deps: * (SEMVER-MINOR) update amaro to 1.1.0 (Node.js GitHub Bot) #56350 doc: * add islandryu to collaborators (Shima Ryuhei) #58714 esm: * (SEMVER-MINOR) implement `import.meta.main` (Joe) #57804 fs: * (SEMVER-MINOR) allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490 module: * (SEMVER-MINOR) remove experimental warning from type stripping (Marco Ippolito) #56350 * (SEMVER-MINOR) unflag `--experimental-strip-types` (Marco Ippolito) #56350 permission: * (SEMVER-MINOR) propagate permission model flags on spawn (Rafael Gonzaga) #58853 sqlite: * (SEMVER-MINOR) add support for `readBigInts` option in db connection level (Miguel Marcondes Filho) #58697 src,permission: * (SEMVER-MINOR) add support to `permission.has(addon)` (Rafael Gonzaga) #58951 url: * (SEMVER-MINOR) add `fileURLToPathBuffer` API (James M Snell) #58700 watch: * (SEMVER-MINOR) add `--watch-kill-signal` flag (Dario Piotrowicz) #58719 worker: * (SEMVER-MINOR) make `Worker` async disposable (James M Snell) #58385 PR-URL: #59256 Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
codebytere
added a commit
to electron/electron
that referenced
this pull request
Aug 2, 2025
meteorqz6
pushed a commit
to meteorqz6/node
that referenced
this pull request
Aug 2, 2025
Notable changes: deps: * (SEMVER-MINOR) update amaro to 1.1.0 (Node.js GitHub Bot) nodejs#56350 doc: * add islandryu to collaborators (Shima Ryuhei) nodejs#58714 esm: * (SEMVER-MINOR) implement `import.meta.main` (Joe) nodejs#57804 fs: * (SEMVER-MINOR) allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) nodejs#58490 module: * (SEMVER-MINOR) remove experimental warning from type stripping (Marco Ippolito) nodejs#56350 * (SEMVER-MINOR) unflag `--experimental-strip-types` (Marco Ippolito) nodejs#56350 permission: * (SEMVER-MINOR) propagate permission model flags on spawn (Rafael Gonzaga) nodejs#58853 sqlite: * (SEMVER-MINOR) add support for `readBigInts` option in db connection level (Miguel Marcondes Filho) nodejs#58697 src,permission: * (SEMVER-MINOR) add support to `permission.has(addon)` (Rafael Gonzaga) nodejs#58951 url: * (SEMVER-MINOR) add `fileURLToPathBuffer` API (James M Snell) nodejs#58700 watch: * (SEMVER-MINOR) add `--watch-kill-signal` flag (Dario Piotrowicz) nodejs#58719 worker: * (SEMVER-MINOR) make `Worker` async disposable (James M Snell) nodejs#58385 PR-URL: nodejs#59256 Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
codebytere
added a commit
to electron/electron
that referenced
this pull request
Aug 4, 2025
jkleinsc
pushed a commit
to electron/electron
that referenced
this pull request
Aug 4, 2025
* chore: bump node in DEPS to v22.18.0 * crypto: fix inclusion of OPENSSL_IS_BORINGSSL define nodejs/node#58845 * crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 nodejs/node#58960 * permission: propagate permission model flags on spawn nodejs/node#58853 * esm: syncify default path of ModuleLoader\.load nodejs/node#57419 * src: remove fast API for InternalModuleStat nodejs/node#58489 * src: simplify adding fast APIs to ExternalReferenceRegistry nodejs/node#58896 * chore: fixup patch indices * src: fix internalModuleStat v8 fast path nodejs/node#58054 * test: add tests to ensure that node.1 is kept in sync with cli.md nodejs/node#58878 * crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 nodejs/node#58942 --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
codebytere
added a commit
to electron/electron
that referenced
this pull request
Aug 5, 2025
* chore: bump node in DEPS to v22.18.0 * crypto: fix inclusion of OPENSSL_IS_BORINGSSL define nodejs/node#58845 * crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 nodejs/node#58960 * permission: propagate permission model flags on spawn nodejs/node#58853 * esm: syncify default path of ModuleLoader\.load nodejs/node#57419 * src: remove fast API for InternalModuleStat nodejs/node#58489 * src: simplify adding fast APIs to ExternalReferenceRegistry nodejs/node#58896 * chore: fixup patch indices * src: fix internalModuleStat v8 fast path nodejs/node#58054 * test: add tests to ensure that node.1 is kept in sync with cli.md nodejs/node#58878 * crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 nodejs/node#58942 --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, only child_process.fork propagated the exec arguments (execvArgs) to the child process.
This commit adds support for spawn and spawnSync to propagate permission model flags — except when they are already provided explicitly via arguments or through NODE_OPTIONS.