We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
1 parent e8dd189 commit ed966a0Copy full SHA for ed966a0
node.gyp
@@ -163,6 +163,7 @@
163
'src/permission/permission.cc',
164
'src/permission/wasi_permission.cc',
165
'src/permission/worker_permission.cc',
166
+ 'src/permission/addon_permission.cc',
167
'src/pipe_wrap.cc',
168
'src/process_wrap.cc',
169
'src/signal_wrap.cc',
@@ -292,6 +293,7 @@
292
293
'src/permission/permission.h',
294
'src/permission/wasi_permission.h',
295
'src/permission/worker_permission.h',
296
+ 'src/permission/addon_permission.h',
297
'src/pipe_wrap.h',
298
'src/req_wrap.h',
299
'src/req_wrap-inl.h',
src/env.cc
@@ -913,6 +913,7 @@ Environment::Environment(IsolateData* isolate_data,
913
// unless explicitly allowed by the user
914
if (!options_->allow_addons) {
915
options_->allow_native_addons = false;
916
+ permission()->Apply(this, {"*"}, permission::PermissionScope::kAddon);
917
}
918
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
919
permission()->Apply(this, {"*"}, permission::PermissionScope::kInspector);
src/permission/addon_permission.cc
@@ -0,0 +1,24 @@
1
+#include "addon_permission.h"
2
+
3
+#include <string>
4
5
+namespace node {
6
7
+namespace permission {
8
9
+// Currently, Addon manage a single state
10
+// Once denied, it's always denied
11
+void AddonPermission::Apply(Environment* env,
12
+ const std::vector<std::string>& allow,
13
+ PermissionScope scope) {
14
+ deny_all_ = true;
15
+}
16
17
+bool AddonPermission::is_granted(Environment* env,
18
+ PermissionScope perm,
19
+ const std::string_view& param) const {
20
+ return deny_all_ == false;
21
22
23
+} // namespace permission
24
+} // namespace node
src/permission/addon_permission.h
@@ -0,0 +1,31 @@
+#ifndef SRC_PERMISSION_ADDON_PERMISSION_H_
+#define SRC_PERMISSION_ADDON_PERMISSION_H_
+#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+#include "permission/permission_base.h"
+class AddonPermission final : public PermissionBase {
+ public:
+ void Apply(Environment* env,
+ PermissionScope scope) override;
+ bool is_granted(Environment* env,
+ const std::string_view& param = "") const override;
+ private:
+ bool deny_all_;
+};
25
26
27
28
29
30
+#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
31
+#endif // SRC_PERMISSION_ADDON_PERMISSION_H_
src/permission/permission.cc
@@ -84,6 +84,7 @@ Permission::Permission() : enabled_(false) {
84
std::shared_ptr<PermissionBase> inspector =
85
std::make_shared<InspectorPermission>();
86
std::shared_ptr<PermissionBase> wasi = std::make_shared<WASIPermission>();
87
+ std::shared_ptr<PermissionBase> addon = std::make_shared<AddonPermission>();
88
#define V(Name, _, __, ___) \
89
nodes_.insert(std::make_pair(PermissionScope::k##Name, fs));
90
FILESYSTEM_PERMISSIONS(V)
@@ -104,6 +105,10 @@ Permission::Permission() : enabled_(false) {
104
105
nodes_.insert(std::make_pair(PermissionScope::k##Name, wasi));
106
WASI_PERMISSIONS(V)
107
#undef V
108
+#define V(Name, _, __, ___) \
109
+ nodes_.insert(std::make_pair(PermissionScope::k##Name, addon));
110
+ ADDON_PERMISSIONS(V)
111
+#undef V
112
113
114
const char* GetErrorFlagSuggestion(node::permission::PermissionScope perm) {
src/permission/permission.h
@@ -5,6 +5,7 @@
#include "debug_utils.h"
#include "node_options.h"
+#include "permission/addon_permission.h"
#include "permission/child_process_permission.h"
#include "permission/fs_permission.h"
#include "permission/inspector_permission.h"
src/permission/permission_base.h
@@ -29,12 +29,16 @@ namespace permission {
#define INSPECTOR_PERMISSIONS(V) V(Inspector, "inspector", PermissionsRoot, "")
32
+#define ADDON_PERMISSIONS(V) \
33
+ V(Addon, "addon", PermissionsRoot, "--allow-addons")
34
35
#define PERMISSIONS(V) \
36
FILESYSTEM_PERMISSIONS(V) \
37
CHILD_PROCESS_PERMISSIONS(V) \
38
WASI_PERMISSIONS(V) \
39
WORKER_THREADS_PERMISSIONS(V) \
- INSPECTOR_PERMISSIONS(V)
40
+ INSPECTOR_PERMISSIONS(V) \
41
42
43
#define V(name, _, __, ___) k##name,
44
enum class PermissionScope {
test/parallel/test-permission-allow-addons-cli.js
@@ -19,3 +19,7 @@ const loadFixture = createRequire(fixtures.path('node_modules'));
const msg = loadFixture('pkgexports/no-addons');
assert.strictEqual(msg, 'using native addons');
+{
+ assert.ok(process.permission.has('addon'));
test/parallel/test-permission-has.js
@@ -25,3 +25,13 @@ const assert = require('assert');
{
assert.ok(!process.permission.has('FileSystemWrite', Buffer.from('reference')));
+ assert.ok(!process.permission.has('fs'));
+ assert.ok(process.permission.has('fs.read'));
+ assert.ok(!process.permission.has('fs.write'));
+ assert.ok(!process.permission.has('wasi'));
+ assert.ok(!process.permission.has('worker'));
+ assert.ok(!process.permission.has('inspector'));
+ assert.ok(!process.permission.has('addon'));