diff --git a/node.gyp b/node.gyp index 64c1e9cdd99..dd0e0e0f7d6 100644 --- a/node.gyp +++ b/node.gyp @@ -164,6 +164,7 @@ 'src/permission/wasi_permission.cc', 'src/permission/worker_permission.cc', 'src/permission/net_permission.cc', + 'src/permission/addon_permission.cc', 'src/pipe_wrap.cc', 'src/process_wrap.cc', 'src/signal_wrap.cc', @@ -294,6 +295,7 @@ 'src/permission/wasi_permission.h', 'src/permission/worker_permission.h', 'src/permission/net_permission.h', + 'src/permission/addon_permission.h', 'src/pipe_wrap.h', 'src/req_wrap.h', 'src/req_wrap-inl.h', diff --git a/src/env.cc b/src/env.cc index 92002309534..e681de9a918 100644 --- a/src/env.cc +++ b/src/env.cc @@ -913,6 +913,7 @@ Environment::Environment(IsolateData* isolate_data, // unless explicitly allowed by the user if (!options_->allow_addons) { options_->allow_native_addons = false; + permission()->Apply(this, {"*"}, permission::PermissionScope::kAddon); } flags_ = flags_ | EnvironmentFlags::kNoCreateInspector; permission()->Apply(this, {"*"}, permission::PermissionScope::kInspector); diff --git a/src/permission/addon_permission.cc b/src/permission/addon_permission.cc new file mode 100644 index 00000000000..20123a72e6e --- /dev/null +++ b/src/permission/addon_permission.cc @@ -0,0 +1,24 @@ +#include "addon_permission.h" + +#include + +namespace node { + +namespace permission { + +// Currently, Addon manage a single state +// Once denied, it's always denied +void AddonPermission::Apply(Environment* env, + const std::vector& allow, + PermissionScope scope) { + deny_all_ = true; +} + +bool AddonPermission::is_granted(Environment* env, + PermissionScope perm, + const std::string_view& param) const { + return deny_all_ == false; +} + +} // namespace permission +} // namespace node diff --git a/src/permission/addon_permission.h b/src/permission/addon_permission.h new file mode 100644 index 00000000000..9702862d098 --- /dev/null +++ b/src/permission/addon_permission.h @@ -0,0 +1,31 @@ +#ifndef SRC_PERMISSION_ADDON_PERMISSION_H_ +#define SRC_PERMISSION_ADDON_PERMISSION_H_ + +#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS + +#include +#include "permission/permission_base.h" + +namespace node { + +namespace permission { + +class AddonPermission final : public PermissionBase { + public: + void Apply(Environment* env, + const std::vector& allow, + PermissionScope scope) override; + bool is_granted(Environment* env, + PermissionScope perm, + const std::string_view& param = "") const override; + + private: + bool deny_all_; +}; + +} // namespace permission + +} // namespace node + +#endif // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS +#endif // SRC_PERMISSION_ADDON_PERMISSION_H_ diff --git a/src/permission/permission.cc b/src/permission/permission.cc index c70456a3b82..199b36ee76b 100644 --- a/src/permission/permission.cc +++ b/src/permission/permission.cc @@ -85,6 +85,7 @@ Permission::Permission() : enabled_(false) { std::make_shared(); std::shared_ptr wasi = std::make_shared(); std::shared_ptr net = std::make_shared(); + std::shared_ptr addon = std::make_shared(); #define V(Name, _, __, ___) \ nodes_.insert(std::make_pair(PermissionScope::k##Name, fs)); FILESYSTEM_PERMISSIONS(V) @@ -109,6 +110,10 @@ Permission::Permission() : enabled_(false) { nodes_.insert(std::make_pair(PermissionScope::k##Name, net)); NET_PERMISSIONS(V) #undef V +#define V(Name, _, __, ___) \ + nodes_.insert(std::make_pair(PermissionScope::k##Name, addon)); + ADDON_PERMISSIONS(V) +#undef V } const char* GetErrorFlagSuggestion(node::permission::PermissionScope perm) { diff --git a/src/permission/permission.h b/src/permission/permission.h index 2d1eb4b8fcf..336b3095fde 100644 --- a/src/permission/permission.h +++ b/src/permission/permission.h @@ -5,6 +5,7 @@ #include "debug_utils.h" #include "node_options.h" +#include "permission/addon_permission.h" #include "permission/child_process_permission.h" #include "permission/fs_permission.h" #include "permission/inspector_permission.h" diff --git a/src/permission/permission_base.h b/src/permission/permission_base.h index d3c1322d02a..bdb0cb62b16 100644 --- a/src/permission/permission_base.h +++ b/src/permission/permission_base.h @@ -31,13 +31,17 @@ namespace permission { #define NET_PERMISSIONS(V) V(Net, "net", PermissionsRoot, "--allow-net") +#define ADDON_PERMISSIONS(V) \ + V(Addon, "addon", PermissionsRoot, "--allow-addons") + #define PERMISSIONS(V) \ FILESYSTEM_PERMISSIONS(V) \ CHILD_PROCESS_PERMISSIONS(V) \ WASI_PERMISSIONS(V) \ WORKER_THREADS_PERMISSIONS(V) \ INSPECTOR_PERMISSIONS(V) \ - NET_PERMISSIONS(V) + NET_PERMISSIONS(V) \ + ADDON_PERMISSIONS(V) #define V(name, _, __, ___) k##name, enum class PermissionScope { diff --git a/test/parallel/test-permission-allow-addons-cli.js b/test/parallel/test-permission-allow-addons-cli.js index 342bdb6bc01..b86e4265fc0 100644 --- a/test/parallel/test-permission-allow-addons-cli.js +++ b/test/parallel/test-permission-allow-addons-cli.js @@ -19,3 +19,7 @@ const loadFixture = createRequire(fixtures.path('node_modules')); const msg = loadFixture('pkgexports/no-addons'); assert.strictEqual(msg, 'using native addons'); } + +{ + assert.ok(process.permission.has('addon')); +} diff --git a/test/parallel/test-permission-has.js b/test/parallel/test-permission-has.js index 72630dd939e..b9336c2b629 100644 --- a/test/parallel/test-permission-has.js +++ b/test/parallel/test-permission-has.js @@ -34,5 +34,5 @@ const assert = require('assert'); assert.ok(!process.permission.has('worker')); assert.ok(!process.permission.has('inspector')); assert.ok(!process.permission.has('net')); - // TODO(rafaelgss): add addon + assert.ok(!process.permission.has('addon')); }