From 4ff3b90bc81f5df441b8e337896f11d0f73b4c21 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 24 Jul 2023 15:09:07 -0300 Subject: [PATCH] src,permission: restrict by default when pm enabled --- src/env.cc | 20 +++++++++----------- test/parallel/test-permission-inspector.js | 16 +++++++++++++++- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/src/env.cc b/src/env.cc index 0452766b806062..fe50fe22cb0938 100644 --- a/src/env.cc +++ b/src/env.cc @@ -850,19 +850,17 @@ Environment::Environment(IsolateData* isolate_data, if (options_->experimental_permission) { permission()->EnablePermissions(); - // If any permission is set the process shouldn't be able to neither + // The process shouldn't be able to neither // spawn/worker nor use addons or enable inspector // unless explicitly allowed by the user - if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) { - options_->allow_native_addons = false; - flags_ = flags_ | EnvironmentFlags::kNoCreateInspector; - permission()->Apply("*", permission::PermissionScope::kInspector); - if (!options_->allow_child_process) { - permission()->Apply("*", permission::PermissionScope::kChildProcess); - } - if (!options_->allow_worker_threads) { - permission()->Apply("*", permission::PermissionScope::kWorkerThreads); - } + options_->allow_native_addons = false; + flags_ = flags_ | EnvironmentFlags::kNoCreateInspector; + permission()->Apply("*", permission::PermissionScope::kInspector); + if (!options_->allow_child_process) { + permission()->Apply("*", permission::PermissionScope::kChildProcess); + } + if (!options_->allow_worker_threads) { + permission()->Apply("*", permission::PermissionScope::kWorkerThreads); } if (!options_->allow_fs_read.empty()) { diff --git a/test/parallel/test-permission-inspector.js b/test/parallel/test-permission-inspector.js index f9d2ce53639945..d4afd8d93bc2f7 100644 --- a/test/parallel/test-permission-inspector.js +++ b/test/parallel/test-permission-inspector.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --experimental-permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -7,6 +7,7 @@ common.skipIfInspectorDisabled(); const { Session } = require('inspector'); const assert = require('assert'); +const { spawnSync } = require('child_process'); if (!common.hasCrypto) common.skip('no crypto'); @@ -20,3 +21,16 @@ if (!common.hasCrypto) permission: 'Inspector', })); } + +{ + const { status, stderr } = spawnSync( + process.execPath, + [ + '--experimental-permission', + '-e', + '(new (require("inspector")).Session()).connect()', + ], + ); + assert.strictEqual(status, 1); + assert.match(stderr.toString(), /Error: Access to this API has been restricted/); +}