From 5d5c89a8f7ea7e0bbe69ccbe3bd052ca562e61dd Mon Sep 17 00:00:00 2001 From: Bradley Farias Date: Thu, 18 Jul 2019 09:01:59 -0500 Subject: [PATCH] policy: add dependencies map for resources Adds a "dependencies" field to resources in policy manifest files. In order to ease development and testing while using manifests, wildcard values for both "dependencies" and "integrity" have been added using the boolean value "true" in the policy manifest. PR-URL: https://github.com/nodejs/node/pull/28767 Reviewed-By: Matteo Collina Reviewed-By: Jan Krems Reviewed-By: Colin Ihrig Reviewed-By: Rich Trott --- doc/api/errors.md | 14 +++ doc/api/policy.md | 78 +++++++++++- lib/internal/errors.js | 6 + lib/internal/modules/cjs/helpers.js | 62 +++++++++- lib/internal/modules/cjs/loader.js | 19 +-- lib/internal/modules/esm/translators.js | 7 +- lib/internal/policy/manifest.js | 117 +++++++++++++----- test/common/index.mjs | 7 +- .../dependencies-empty-policy.json | 11 ++ .../dependencies-missing-policy.json | 10 ++ .../dependencies-redirect-builtin-policy.json | 10 ++ .../dependencies-redirect-policy.json | 13 ++ ...ncies-redirect-unknown-builtin-policy.json | 10 ++ .../dependencies-wildcard-policy.json | 11 ++ test/fixtures/policy/parent.js | 3 + test/parallel/test-policy-dependencies.js | 90 ++++++++++++++ test/parallel/test-policy-integrity-flag.js | 4 - test/parallel/test-policy-integrity.js | 3 +- 18 files changed, 412 insertions(+), 63 deletions(-) create mode 100644 test/fixtures/policy/dependencies/dependencies-empty-policy.json create mode 100644 test/fixtures/policy/dependencies/dependencies-missing-policy.json create mode 100644 test/fixtures/policy/dependencies/dependencies-redirect-builtin-policy.json create mode 100644 test/fixtures/policy/dependencies/dependencies-redirect-policy.json create mode 100644 test/fixtures/policy/dependencies/dependencies-redirect-unknown-builtin-policy.json create mode 100644 test/fixtures/policy/dependencies/dependencies-wildcard-policy.json create mode 100644 test/fixtures/policy/parent.js create mode 100644 test/parallel/test-policy-dependencies.js diff --git a/doc/api/errors.md b/doc/api/errors.md index f449d537ec7625..3876c4b1d2442e 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1430,6 +1430,13 @@ An attempt was made to load a resource, but the resource did not match the integrity defined by the policy manifest. See the documentation for [policy] manifests for more information. + +### ERR_MANIFEST_DEPENDENCY_MISSING + +An attempt was made to load a resource, but the resource was not listed as a +dependency from the location that attempted to load it. See the documentation +for [policy] manifests for more information. + ### ERR_MANIFEST_INTEGRITY_MISMATCH @@ -1438,6 +1445,13 @@ entries for a resource which did not match each other. Update the manifest entries to match in order to resolve this error. See the documentation for [policy] manifests for more information. + +### ERR_MANIFEST_INVALID_RESOURCE_FIELD + +A policy manifest resource had an invalid value for one of its fields. Update +the manifest entry to match in order to resolve this error. See the +documentation for [policy] manifests for more information. + ### ERR_MANIFEST_PARSE_POLICY diff --git a/doc/api/policy.md b/doc/api/policy.md index a1955f2b3ee835..d4c649636e49a8 100644 --- a/doc/api/policy.md +++ b/doc/api/policy.md @@ -38,7 +38,7 @@ node --experimental-policy=policy.json app.js The policy manifest will be used to enforce constraints on code loaded by Node.js. -In order to mitigate tampering with policy files on disk, an integrity for +To mitigate tampering with policy files on disk, an integrity for the policy file itself may be provided via `--policy-integrity`. This allows running `node` and asserting the policy file contents even if the file is changed on disk. @@ -105,9 +105,83 @@ When loading resources the entire URL must match including search parameters and hash fragment. `./a.js?b` will not be used when attempting to load `./a.js` and vice versa. -In order to generate integrity strings, a script such as +To generate integrity strings, a script such as `printf "sha384-$(cat checked.js | openssl dgst -sha384 -binary | base64)"` can be used. +Integrity can be specified as the boolean value `true` to accept any +body for the resource which can be useful for local development. It is not +recommended in production since it would allow unexpected alteration of +resources to be considered valid. + +### Dependency Redirection + +An application may need to ship patched versions of modules or to prevent +modules from allowing all modules access to all other modules. Redirection +can be used by intercepting attempts to load the modules wishing to be +replaced. + +```json +{ + "builtins": [], + "resources": { + "./app/checked.js": { + "dependencies": { + "fs": true, + "os": "./app/node_modules/alt-os" + } + } + } +} +``` + +The dependencies are keyed by the requested string specifier and have values +of either `true` or a string pointing to a module that will be resolved. + +The specifier string does not perform any searching and must match exactly +what is provided to the `require()`. Therefore, multiple specifiers may be +needed in the policy if `require()` uses multiple different strings to point +to the same module (such as excluding the extension). + +If the value of the redirection is `true` the default searching algorithms will +be used to find the module. + +If the value of the redirection is a string, it will be resolved relative to +the manifest and then immediately be used without searching. + +Any specifier string that is `require()`ed and not listed in the dependencies +will result in an error according to the policy. + +Redirection will not prevent access to APIs through means such as direct access +to `require.cache` and/or through `module.constructor` which allow access to +loading modules. Policy redirection only affect specifiers to `require()`. +Other means such as to prevent undesired access to APIs through variables are +necessary to lock down that path of loading modules. + +A boolean value of `true` for the dependencies map can be specified to allow a +module to load any specifier without redirection. This can be useful for local +development and may have some valid usage in production, but should be used +only with care after auditing a module to ensure its behavior is valid. + +#### Example: Patched Dependency + +Since a dependency can be redirected, you can provide attenuated or modified +forms of dependencies as fits your application. For example, you could log +data about timing of function durations by wrapping the original: + +```js +const original = require('fn'); +module.exports = function fn(...args) { + console.time(); + try { + return new.target ? + Reflect.construct(original, args) : + Reflect.apply(original, this, args); + } finally { + console.timeEnd(); + } +}; +``` + [relative url string]: https://url.spec.whatwg.org/#relative-url-with-fragment-string diff --git a/lib/internal/errors.js b/lib/internal/errors.js index 481d7aeeb0b7f3..4b3856adbab442 100644 --- a/lib/internal/errors.js +++ b/lib/internal/errors.js @@ -1028,9 +1028,15 @@ E('ERR_MANIFEST_ASSERT_INTEGRITY', } return msg; }, Error); +E('ERR_MANIFEST_DEPENDENCY_MISSING', + 'Manifest resource %s does not list %s as a dependency specifier', + Error); E('ERR_MANIFEST_INTEGRITY_MISMATCH', 'Manifest resource %s has multiple entries but integrity lists do not match', SyntaxError); +E('ERR_MANIFEST_INVALID_RESOURCE_FIELD', + 'Manifest resource %s has invalid property value for %s', + TypeError); E('ERR_MANIFEST_TDZ', 'Manifest initialization has not yet run', Error); E('ERR_MANIFEST_UNKNOWN_ONERROR', 'Manifest specified unknown error behavior "%s".', diff --git a/lib/internal/modules/cjs/helpers.js b/lib/internal/modules/cjs/helpers.js index 4b35302944f111..8cc3e1dd692d80 100644 --- a/lib/internal/modules/cjs/helpers.js +++ b/lib/internal/modules/cjs/helpers.js @@ -1,19 +1,72 @@ 'use strict'; const { Object } = primordials; +const { + ERR_MANIFEST_DEPENDENCY_MISSING, + ERR_UNKNOWN_BUILTIN_MODULE +} = require('internal/errors').codes; +const { NativeModule } = require('internal/bootstrap/loaders'); +const { getOptionValue } = require('internal/options'); +const experimentalModules = getOptionValue('--experimental-modules'); const { validateString } = require('internal/validators'); const path = require('path'); -const { pathToFileURL } = require('internal/url'); +const { pathToFileURL, fileURLToPath } = require('internal/url'); const { URL } = require('url'); +const debug = require('internal/util/debuglog').debuglog('module'); + +function loadNativeModule(filename, request, experimentalModules) { + const mod = NativeModule.map.get(filename); + if (mod) { + debug('load native module %s', request); + mod.compileForPublicLoader(experimentalModules); + return mod; + } +} + // Invoke with makeRequireFunction(module) where |module| is the Module object // to use as the context for the require() function. -function makeRequireFunction(mod) { +// Use redirects to set up a mapping from a policy and restrict dependencies +function makeRequireFunction(mod, redirects) { const Module = mod.constructor; - function require(path) { - return mod.require(path); + let require; + if (redirects) { + const { map, reaction } = redirects; + const id = mod.filename || mod.id; + require = function require(path) { + let missing = true; + if (map === true) { + missing = false; + } else if (map.has(path)) { + const redirect = map.get(path); + if (redirect === true) { + missing = false; + } else if (typeof redirect === 'string') { + const parsed = new URL(redirect); + if (parsed.protocol === 'node:') { + const specifier = parsed.pathname; + const mod = loadNativeModule( + specifier, + redirect, + experimentalModules); + if (mod && mod.canBeRequiredByUsers) return mod.exports; + throw new ERR_UNKNOWN_BUILTIN_MODULE(specifier); + } else if (parsed.protocol === 'file:') { + return mod.require(fileURLToPath(parsed)); + } + } + } + if (missing) { + reaction(new ERR_MANIFEST_DEPENDENCY_MISSING(id, path)); + } + return mod.require(path); + }; + } else { + require = function require(path) { + return mod.require(path); + }; } function resolve(request, options) { @@ -134,6 +187,7 @@ function normalizeReferrerURL(referrer) { module.exports = { addBuiltinLibsToObject, builtinLibs, + loadNativeModule, makeRequireFunction, normalizeReferrerURL, stripBOM, diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js index 07c36cc6d3558b..03442ae8b8d592 100644 --- a/lib/internal/modules/cjs/loader.js +++ b/lib/internal/modules/cjs/loader.js @@ -46,7 +46,8 @@ const { makeRequireFunction, normalizeReferrerURL, stripBOM, - stripShebang + stripShebang, + loadNativeModule } = require('internal/modules/cjs/helpers'); const { getOptionValue } = require('internal/options'); const preserveSymlinks = getOptionValue('--preserve-symlinks'); @@ -619,11 +620,8 @@ Module._load = function(request, parent, isMain) { return cachedModule.exports; } - const mod = NativeModule.map.get(filename); - if (mod && mod.canBeRequiredByUsers) { - debug('load native module %s', request); - return mod.compileForPublicLoader(experimentalModules); - } + const mod = loadNativeModule(filename, request, experimentalModules); + if (mod && mod.canBeRequiredByUsers) return mod.exports; // Don't call updateChildren(), Module constructor already does. const module = new Module(filename, parent); @@ -784,8 +782,11 @@ let hasPausedEntry = false; // the file. // Returns exception, if any. Module.prototype._compile = function(content, filename) { + let moduleURL; + let redirects; if (manifest) { - const moduleURL = pathToFileURL(filename); + moduleURL = pathToFileURL(filename); + redirects = manifest.getRedirects(moduleURL); manifest.assertIntegrity(moduleURL, content); } @@ -851,7 +852,7 @@ Module.prototype._compile = function(content, filename) { } } const dirname = path.dirname(filename); - const require = makeRequireFunction(this); + const require = makeRequireFunction(this, redirects); var result; const exports = this.exports; const thisValue = exports; @@ -940,7 +941,7 @@ function createRequireFromPath(filename) { m.filename = proxyPath; m.paths = Module._nodeModulePaths(m.path); - return makeRequireFunction(m); + return makeRequireFunction(m, null); } Module.createRequireFromPath = createRequireFromPath; diff --git a/lib/internal/modules/esm/translators.js b/lib/internal/modules/esm/translators.js index f39b59e4bcddc5..d693b79448cea6 100644 --- a/lib/internal/modules/esm/translators.js +++ b/lib/internal/modules/esm/translators.js @@ -9,10 +9,10 @@ const { StringPrototype } = primordials; -const { NativeModule } = require('internal/bootstrap/loaders'); const { stripShebang, - stripBOM + stripBOM, + loadNativeModule } = require('internal/modules/cjs/helpers'); const CJSModule = require('internal/modules/cjs/loader'); const internalURLModule = require('internal/url'); @@ -94,11 +94,10 @@ translators.set('builtin', async function builtinStrategy(url) { debug(`Translating BuiltinModule ${url}`); // Slice 'node:' scheme const id = url.slice(5); - const module = NativeModule.map.get(id); + const module = loadNativeModule(id, url, true); if (!module) { throw new ERR_UNKNOWN_BUILTIN_MODULE(id); } - module.compileForPublicLoader(true); return createDynamicModule( [], [...module.exportKeys, 'default'], url, (reflect) => { debug(`Loading BuiltinModule ${url}`); diff --git a/lib/internal/policy/manifest.js b/lib/internal/policy/manifest.js index 0714b2294b637f..f91eb5b0129d48 100644 --- a/lib/internal/policy/manifest.js +++ b/lib/internal/policy/manifest.js @@ -1,15 +1,20 @@ 'use strict'; const { + SafeMap, SafeWeakMap, Object, RegExpPrototype, uncurryThis } = primordials; +const { + canBeRequiredByUsers +} = require('internal/bootstrap/loaders').NativeModule; const { ERR_MANIFEST_ASSERT_INTEGRITY, ERR_MANIFEST_INTEGRITY_MISMATCH, + ERR_MANIFEST_INVALID_RESOURCE_FIELD, ERR_MANIFEST_UNKNOWN_ONERROR, } = require('internal/errors').codes; const debug = require('internal/util/debuglog').debuglog('policy'); @@ -24,6 +29,7 @@ const BufferEquals = uncurryThis(Buffer.prototype.equals); const BufferToString = uncurryThis(Buffer.prototype.toString); const { entries } = Object; const kIntegrities = new SafeWeakMap(); +const kDependencies = new SafeWeakMap(); const kReactions = new SafeWeakMap(); const kRelativeURLStringPattern = /^\.{0,2}\//; const { getOptionValue } = require('internal/options'); @@ -52,76 +58,121 @@ class Manifest { const integrities = { __proto__: null, }; - const reactions = { + const dependencies = { __proto__: null, - integrity: REACTION_THROW, }; + let reaction = REACTION_THROW; if (obj.onerror) { const behavior = obj.onerror; if (behavior === 'throw') { } else if (behavior === 'exit') { - reactions.integrity = REACTION_EXIT; + reaction = REACTION_EXIT; } else if (behavior === 'log') { - reactions.integrity = REACTION_LOG; + reaction = REACTION_LOG; } else { throw new ERR_MANIFEST_UNKNOWN_ONERROR(behavior); } } - kReactions.set(this, Object.freeze(reactions)); + kReactions.set(this, reaction); const manifestEntries = entries(obj.resources); for (var i = 0; i < manifestEntries.length; i++) { let url = manifestEntries[i][0]; - const integrity = manifestEntries[i][1].integrity; + const originalURL = url; + if (RegExpPrototype.test(kRelativeURLStringPattern, url)) { + url = new URL(url, manifestURL).href; + } + let integrity = manifestEntries[i][1].integrity; + if (!integrity) integrity = null; if (integrity != null) { - debug(`Manifest contains integrity for url ${url}`); - if (RegExpPrototype.test(kRelativeURLStringPattern, url)) { - url = new URL(url, manifestURL).href; - } + debug(`Manifest contains integrity for url ${originalURL}`); + if (typeof integrity === 'string') { + const sri = Object.freeze(SRI.parse(integrity)); + if (url in integrities) { + const old = integrities[url]; + let mismatch = false; - const sri = Object.freeze(SRI.parse(integrity)); - if (url in integrities) { - const old = integrities[url]; - let mismatch = false; - - if (old.length !== sri.length) { - mismatch = true; - } else { - compare: - for (var sriI = 0; sriI < sri.length; sriI++) { - for (var oldI = 0; oldI < old.length; oldI++) { - if (sri[sriI].algorithm === old[oldI].algorithm && - BufferEquals(sri[sriI].value, old[oldI].value) && - sri[sriI].options === old[oldI].options) { - continue compare; + if (old.length !== sri.length) { + mismatch = true; + } else { + compare: + for (var sriI = 0; sriI < sri.length; sriI++) { + for (var oldI = 0; oldI < old.length; oldI++) { + if (sri[sriI].algorithm === old[oldI].algorithm && + BufferEquals(sri[sriI].value, old[oldI].value) && + sri[sriI].options === old[oldI].options) { + continue compare; + } } + mismatch = true; + break compare; } - mismatch = true; - break compare; } - } - if (mismatch) { - throw new ERR_MANIFEST_INTEGRITY_MISMATCH(url); + if (mismatch) { + throw new ERR_MANIFEST_INTEGRITY_MISMATCH(url); + } } + integrities[url] = sri; + } else if (integrity === true) { + integrities[url] = true; + } else { + throw new ERR_MANIFEST_INVALID_RESOURCE_FIELD(url, 'integrity'); } - integrities[url] = sri; + } + + let dependencyMap = manifestEntries[i][1].dependencies; + if (dependencyMap === null || dependencyMap === undefined) { + dependencyMap = {}; + } + if (typeof dependencyMap === 'object' && !Array.isArray(dependencyMap)) { + dependencies[url] = new SafeMap(Object.entries(dependencyMap).map( + ([ from, to ]) => { + if (to === true) { + return [from, to]; + } + if (canBeRequiredByUsers(to)) { + return [from, `node:${to}`]; + } else if (RegExpPrototype.test(kRelativeURLStringPattern, to)) { + return [from, new URL(to, manifestURL).href]; + } + return [from, new URL(to).href]; + }) + ); + } else if (dependencyMap === true) { + dependencies[url] = true; + } else { + throw new ERR_MANIFEST_INVALID_RESOURCE_FIELD(url, 'dependencies'); } } Object.freeze(integrities); kIntegrities.set(this, integrities); + Object.freeze(dependencies); + kDependencies.set(this, dependencies); Object.freeze(this); } + getRedirects(requester) { + const dependencies = kDependencies.get(this); + if (dependencies && requester in dependencies) { + return { + map: dependencies[requester], + reaction: kReactions.get(this) + }; + } + return null; + } + assertIntegrity(url, content) { debug(`Checking integrity of ${url}`); const integrities = kIntegrities.get(this); - const realIntegrities = new Map(); + const realIntegrities = new SafeMap(); if (integrities && url in integrities) { const integrityEntries = integrities[url]; + if (integrityEntries === true) return true; // Avoid clobbered Symbol.iterator for (var i = 0; i < integrityEntries.length; i++) { const { @@ -139,7 +190,7 @@ class Manifest { } } const error = new ERR_MANIFEST_ASSERT_INTEGRITY(url, realIntegrities); - kReactions.get(this).integrity(error); + kReactions.get(this)(error); } } diff --git a/test/common/index.mjs b/test/common/index.mjs index 47587044020fcc..f747ee327913a5 100644 --- a/test/common/index.mjs +++ b/test/common/index.mjs @@ -1,12 +1,7 @@ // Flags: --experimental-modules /* eslint-disable node-core/require-common-first, node-core/required-modules */ -import { createRequireFromPath } from 'module'; -import { fileURLToPath as toPath } from 'url'; - -function createRequire(metaUrl) { - return createRequireFromPath(toPath(metaUrl)); -} +import { createRequire } from 'module'; const require = createRequire(import.meta.url); const common = require('./index.js'); diff --git a/test/fixtures/policy/dependencies/dependencies-empty-policy.json b/test/fixtures/policy/dependencies/dependencies-empty-policy.json new file mode 100644 index 00000000000000..9c0389cd03928f --- /dev/null +++ b/test/fixtures/policy/dependencies/dependencies-empty-policy.json @@ -0,0 +1,11 @@ +{ + "resources": { + "../parent.js": { + "integrity": true, + "dependencies": {} + }, + "../dep.js": { + "integrity": true + } + } +} \ No newline at end of file diff --git a/test/fixtures/policy/dependencies/dependencies-missing-policy.json b/test/fixtures/policy/dependencies/dependencies-missing-policy.json new file mode 100644 index 00000000000000..40d2866ba5e06d --- /dev/null +++ b/test/fixtures/policy/dependencies/dependencies-missing-policy.json @@ -0,0 +1,10 @@ +{ + "resources": { + "../parent.js": { + "integrity": true + }, + "../dep.js": { + "integrity": true + } + } +} \ No newline at end of file diff --git a/test/fixtures/policy/dependencies/dependencies-redirect-builtin-policy.json b/test/fixtures/policy/dependencies/dependencies-redirect-builtin-policy.json new file mode 100644 index 00000000000000..437228a2e50277 --- /dev/null +++ b/test/fixtures/policy/dependencies/dependencies-redirect-builtin-policy.json @@ -0,0 +1,10 @@ +{ + "resources": { + "../parent.js": { + "integrity": true, + "dependencies": { + "./dep.js": "node:util" + } + } + } +} \ No newline at end of file diff --git a/test/fixtures/policy/dependencies/dependencies-redirect-policy.json b/test/fixtures/policy/dependencies/dependencies-redirect-policy.json new file mode 100644 index 00000000000000..993a683f10a38f --- /dev/null +++ b/test/fixtures/policy/dependencies/dependencies-redirect-policy.json @@ -0,0 +1,13 @@ +{ + "resources": { + "../parent.js": { + "integrity": true, + "dependencies": { + "./dep.js": "../dep.js" + } + }, + "../dep.js": { + "integrity": true + } + } +} \ No newline at end of file diff --git a/test/fixtures/policy/dependencies/dependencies-redirect-unknown-builtin-policy.json b/test/fixtures/policy/dependencies/dependencies-redirect-unknown-builtin-policy.json new file mode 100644 index 00000000000000..db2046c6d36f07 --- /dev/null +++ b/test/fixtures/policy/dependencies/dependencies-redirect-unknown-builtin-policy.json @@ -0,0 +1,10 @@ +{ + "resources": { + "../parent.js": { + "integrity": true, + "dependencies": { + "./dep.js": "node:404" + } + } + } +} \ No newline at end of file diff --git a/test/fixtures/policy/dependencies/dependencies-wildcard-policy.json b/test/fixtures/policy/dependencies/dependencies-wildcard-policy.json new file mode 100644 index 00000000000000..04ae9a318f6dc0 --- /dev/null +++ b/test/fixtures/policy/dependencies/dependencies-wildcard-policy.json @@ -0,0 +1,11 @@ +{ + "resources": { + "../parent.js": { + "integrity": true, + "dependencies": true + }, + "../dep.js": { + "integrity": true + } + } +} \ No newline at end of file diff --git a/test/fixtures/policy/parent.js b/test/fixtures/policy/parent.js new file mode 100644 index 00000000000000..b821bfee184a35 --- /dev/null +++ b/test/fixtures/policy/parent.js @@ -0,0 +1,3 @@ +'use strict'; +// Included in parent-policy.json +require('./dep.js'); diff --git a/test/parallel/test-policy-dependencies.js b/test/parallel/test-policy-dependencies.js new file mode 100644 index 00000000000000..e7b2289714dff4 --- /dev/null +++ b/test/parallel/test-policy-dependencies.js @@ -0,0 +1,90 @@ +'use strict'; + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const fixtures = require('../common/fixtures'); + +const assert = require('assert'); +const { spawnSync } = require('child_process'); + +const dep = fixtures.path('policy', 'parent.js'); +{ + const depPolicy = fixtures.path( + 'policy', + 'dependencies', + 'dependencies-redirect-policy.json'); + const { status } = spawnSync( + process.execPath, + [ + '--experimental-policy', depPolicy, dep, + ] + ); + assert.strictEqual(status, 0); +} +{ + const depPolicy = fixtures.path( + 'policy', + 'dependencies', + 'dependencies-redirect-builtin-policy.json'); + const { status } = spawnSync( + process.execPath, + [ + '--experimental-policy', depPolicy, dep, + ] + ); + assert.strictEqual(status, 0); +} +{ + const depPolicy = fixtures.path( + 'policy', + 'dependencies', + 'dependencies-redirect-unknown-builtin-policy.json'); + const { status } = spawnSync( + process.execPath, + [ + '--experimental-policy', depPolicy, dep, + ] + ); + assert.strictEqual(status, 1); +} +{ + const depPolicy = fixtures.path( + 'policy', + 'dependencies', + 'dependencies-wildcard-policy.json'); + const { status } = spawnSync( + process.execPath, + [ + '--experimental-policy', depPolicy, dep, + ] + ); + assert.strictEqual(status, 0); +} +{ + const depPolicy = fixtures.path( + 'policy', + 'dependencies', + 'dependencies-empty-policy.json'); + const { status } = spawnSync( + process.execPath, + [ + '--experimental-policy', depPolicy, dep, + ] + ); + assert.strictEqual(status, 1); +} +{ + const depPolicy = fixtures.path( + 'policy', + 'dependencies', + 'dependencies-missing-policy.json'); + const { status } = spawnSync( + process.execPath, + [ + '--experimental-policy', depPolicy, dep, + ] + ); + assert.strictEqual(status, 1); +} diff --git a/test/parallel/test-policy-integrity-flag.js b/test/parallel/test-policy-integrity-flag.js index 3b332758d18c0a..d97ef86cbe9d0f 100644 --- a/test/parallel/test-policy-integrity-flag.js +++ b/test/parallel/test-policy-integrity-flag.js @@ -28,10 +28,6 @@ const windowsPolicySRI = 'sha512-OeyCPRo4OZMosHyquZXDHpuU1F4KzG9UHFnn12FMaHsvqFU /* eslint-enable max-len */ const depPolicySRI = `${nixPolicySRI} ${windowsPolicySRI}`; -console.dir({ - depPolicySRI, - body: JSON.stringify(fs.readFileSync(depPolicy).toString('utf8')) -}); { const { status, stderr } = spawnSync( process.execPath, diff --git a/test/parallel/test-policy-integrity.js b/test/parallel/test-policy-integrity.js index 86d1078d9f24b3..722b45f633174d 100644 --- a/test/parallel/test-policy-integrity.js +++ b/test/parallel/test-policy-integrity.js @@ -71,7 +71,8 @@ function test({ }; for (const [url, { body, match }] of Object.entries(resources)) { manifest.resources[url] = { - integrity: `sha256-${hash('sha256', match ? body : body + '\n')}` + integrity: `sha256-${hash('sha256', match ? body : body + '\n')}`, + dependencies: true }; fs.writeFileSync(new URL(url, tmpdirURL.href), body); }