diff --git a/doc/api/cli.md b/doc/api/cli.md index 8f6242a16c66e6..030e454b66e20e 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -269,6 +269,53 @@ Examples can be found in the [File System Permissions][] documentation. Relative paths are NOT supported through the CLI flag. +### `--allow-wasi` + + + +> Stability: 1.1 - Active development + +When using the [Permission Model][], the process will not be capable of creating +any WASI instances by default. +For security reasons, the call will throw an `ERR_ACCESS_DENIED` unless the +user explicitly passes the flag `--allow-wasi` in the main Node.js process. + +Example: + +```js +const { WASI } = require('node:wasi'); +// Attempt to bypass the permission +new WASI({ + version: 'preview1', + // Attempt to mount the whole filesystem + preopens: { + '/': '/', + }, +}); +``` + +```console +$ node --experimental-permission --allow-fs-read=* index.js +node:wasi:99 + const wrap = new _WASI(args, env, preopens, stdio); + ^ + +Error: Access to this API has been restricted + at new WASI (node:wasi:99:18) + at Object. (/home/index.js:3:1) + at Module._compile (node:internal/modules/cjs/loader:1476:14) + at Module._extensions..js (node:internal/modules/cjs/loader:1555:10) + at Module.load (node:internal/modules/cjs/loader:1288:32) + at Module._load (node:internal/modules/cjs/loader:1104:12) + at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:191:14) + at node:internal/main/run_main_module:30:49 { + code: 'ERR_ACCESS_DENIED', + permission: 'WASI', +} +``` + ### `--allow-worker`