src,permission: add support to permission.has(addon)

PR-URL: https://github.com/nodejs/node/pull/58951 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Ilyas Shabi <ilyasshabi94@gmail.com>
2025-08-15 13:48:44 +02:00 · 2025-07-07 12:21:07 -03:00 · 2025-07-07 12:21:07 -03:00 · c5c696547e
commit c5c696547e
parent 7be2528e05
9 changed files with 74 additions and 2 deletions
--- a/node.gyp
+++ b/node.gyp
@ -164,6 +164,7 @@
      'src/permission/wasi_permission.cc',
      'src/permission/worker_permission.cc',
      'src/permission/net_permission.cc',
+      'src/permission/addon_permission.cc',
      'src/pipe_wrap.cc',
      'src/process_wrap.cc',
      'src/signal_wrap.cc',
@ -294,6 +295,7 @@
      'src/permission/wasi_permission.h',
      'src/permission/worker_permission.h',
      'src/permission/net_permission.h',
+      'src/permission/addon_permission.h',
      'src/pipe_wrap.h',
      'src/req_wrap.h',
      'src/req_wrap-inl.h',
--- a/src/env.cc
+++ b/src/env.cc
@ -913,6 +913,7 @@ Environment::Environment(IsolateData* isolate_data,
    // unless explicitly allowed by the user
    if (!options_->allow_addons) {
      options_->allow_native_addons = false;
+      permission()->Apply(this, {"*"}, permission::PermissionScope::kAddon);
    }
    flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
    permission()->Apply(this, {"*"}, permission::PermissionScope::kInspector);
--- a/src/permission/addon_permission.cc
+++ b/src/permission/addon_permission.cc
@ -0,0 +1,24 @@
+#include "addon_permission.h"
+
+#include <string>
+
+namespace node {
+
+namespace permission {
+
+// Currently, Addon manage a single state
+// Once denied, it's always denied
+void AddonPermission::Apply(Environment* env,
+                            const std::vector<std::string>& allow,
+                            PermissionScope scope) {
+  deny_all_ = true;
+}
+
+bool AddonPermission::is_granted(Environment* env,
+                                 PermissionScope perm,
+                                 const std::string_view& param) const {
+  return deny_all_ == false;
+}
+
+}  // namespace permission
+}  // namespace node
--- a/src/permission/addon_permission.h
+++ b/src/permission/addon_permission.h
@ -0,0 +1,31 @@
+#ifndef SRC_PERMISSION_ADDON_PERMISSION_H_
+#define SRC_PERMISSION_ADDON_PERMISSION_H_
+
+#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+
+#include <string>
+#include "permission/permission_base.h"
+
+namespace node {
+
+namespace permission {
+
+class AddonPermission final : public PermissionBase {
+ public:
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
+             PermissionScope scope) override;
+  bool is_granted(Environment* env,
+                  PermissionScope perm,
+                  const std::string_view& param = "") const override;
+
+ private:
+  bool deny_all_;
+};
+
+}  // namespace permission
+
+}  // namespace node
+
+#endif  // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+#endif  // SRC_PERMISSION_ADDON_PERMISSION_H_
--- a/src/permission/permission.cc
+++ b/src/permission/permission.cc
@ -85,6 +85,7 @@ Permission::Permission() : enabled_(false) {
      std::make_shared<InspectorPermission>();
  std::shared_ptr<PermissionBase> wasi = std::make_shared<WASIPermission>();
  std::shared_ptr<PermissionBase> net = std::make_shared<NetPermission>();
+  std::shared_ptr<PermissionBase> addon = std::make_shared<AddonPermission>();
 #define V(Name, _, __, ___)                                                    \
  nodes_.insert(std::make_pair(PermissionScope::k##Name, fs));
  FILESYSTEM_PERMISSIONS(V)
@ -109,6 +110,10 @@ Permission::Permission() : enabled_(false) {
  nodes_.insert(std::make_pair(PermissionScope::k##Name, net));
  NET_PERMISSIONS(V)
 #undef V
+#define V(Name, _, __, ___)                                                    \
+  nodes_.insert(std::make_pair(PermissionScope::k##Name, addon));
+  ADDON_PERMISSIONS(V)
+#undef V
 }

 const char* GetErrorFlagSuggestion(node::permission::PermissionScope perm) {
--- a/src/permission/permission.h
+++ b/src/permission/permission.h
@ -5,6 +5,7 @@

 #include "debug_utils.h"
 #include "node_options.h"
+#include "permission/addon_permission.h"
 #include "permission/child_process_permission.h"
 #include "permission/fs_permission.h"
 #include "permission/inspector_permission.h"
--- a/src/permission/permission_base.h
+++ b/src/permission/permission_base.h
@ -31,13 +31,17 @@ namespace permission {

 #define NET_PERMISSIONS(V) V(Net, "net", PermissionsRoot, "--allow-net")

+#define ADDON_PERMISSIONS(V)                                                   \
+  V(Addon, "addon", PermissionsRoot, "--allow-addons")
+
 #define PERMISSIONS(V)                                                         \
  FILESYSTEM_PERMISSIONS(V)                                                    \
  CHILD_PROCESS_PERMISSIONS(V)                                                 \
  WASI_PERMISSIONS(V)                                                          \
  WORKER_THREADS_PERMISSIONS(V)                                                \
  INSPECTOR_PERMISSIONS(V)                                                     \
-  NET_PERMISSIONS(V)
+  NET_PERMISSIONS(V)                                                           \
+  ADDON_PERMISSIONS(V)

 #define V(name, _, __, ___) k##name,
 enum class PermissionScope {
--- a/test/parallel/test-permission-allow-addons-cli.js
+++ b/test/parallel/test-permission-allow-addons-cli.js
@ -19,3 +19,7 @@ const loadFixture = createRequire(fixtures.path('node_modules'));
  const msg = loadFixture('pkgexports/no-addons');
  assert.strictEqual(msg, 'using native addons');
 }
+
+{
+  assert.ok(process.permission.has('addon'));
+}
--- a/test/parallel/test-permission-has.js
+++ b/test/parallel/test-permission-has.js
@ -34,5 +34,5 @@ const assert = require('assert');
  assert.ok(!process.permission.has('worker'));
  assert.ok(!process.permission.has('inspector'));
  assert.ok(!process.permission.has('net'));
-  // TODO(rafaelgss): add addon
+  assert.ok(!process.permission.has('addon'));
 }