lib,src,permission: port path.resolve to C++

Co-Authored-By: Carlos Espa <cespatorres@gmail.com>
nodejs · Nov 22, 2023 · b2649a3 · b2649a3
1 parent 8e60189
commit b2649a3
Show file tree

Hide file tree

Showing 17 changed files with 395 additions and 31 deletions.
diff --git a/src/env.cc b/src/env.cc
@@ -879,21 +879,25 @@ Environment::Environment(IsolateData* isolate_data,
     // unless explicitly allowed by the user
     options_->allow_native_addons = false;
     flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
-    permission()->Apply({"*"}, permission::PermissionScope::kInspector);
+    permission()->Apply(this, {"*"}, permission::PermissionScope::kInspector);
     if (!options_->allow_child_process) {
-      permission()->Apply({"*"}, permission::PermissionScope::kChildProcess);
+      permission()->Apply(
+          this, {"*"}, permission::PermissionScope::kChildProcess);
     }
     if (!options_->allow_worker_threads) {
-      permission()->Apply({"*"}, permission::PermissionScope::kWorkerThreads);
+      permission()->Apply(
+          this, {"*"}, permission::PermissionScope::kWorkerThreads);
     }
 
     if (!options_->allow_fs_read.empty()) {
-      permission()->Apply(options_->allow_fs_read,
+      permission()->Apply(this,
+                          options_->allow_fs_read,
                           permission::PermissionScope::kFileSystemRead);
     }
 
     if (!options_->allow_fs_write.empty()) {
-      permission()->Apply(options_->allow_fs_write,
+      permission()->Apply(this,
+                          options_->allow_fs_write,
                           permission::PermissionScope::kFileSystemWrite);
     }
   }

diff --git a/src/permission/child_process_permission.cc b/src/permission/child_process_permission.cc
@@ -9,7 +9,8 @@ namespace permission {
 
 // Currently, ChildProcess manage a single state
 // Once denied, it's always denied
-void ChildProcessPermission::Apply(const std::vector<std::string>& allow,
+void ChildProcessPermission::Apply(Environment* env,
+                                   const std::vector<std::string>& allow,
                                    PermissionScope scope) {
   deny_all_ = true;
 }

diff --git a/src/permission/child_process_permission.h b/src/permission/child_process_permission.h
@@ -12,7 +12,8 @@ namespace permission {
 
 class ChildProcessPermission final : public PermissionBase {
  public:
-  void Apply(const std::vector<std::string>& allow,
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
              PermissionScope scope) override;
   bool is_granted(PermissionScope perm,
                   const std::string_view& param = "") const override;

diff --git a/src/permission/fs_permission.cc b/src/permission/fs_permission.cc
@@ -117,7 +117,8 @@ namespace permission {
 
 // allow = '*'
 // allow = '/tmp/,/home/example.js'
-void FSPermission::Apply(const std::vector<std::string>& allow,
+void FSPermission::Apply(Environment* env,
+                         const std::vector<std::string>& allow,
                          PermissionScope scope) {
   for (const std::string& res : allow) {
     if (res == "*") {
@@ -130,7 +131,7 @@ void FSPermission::Apply(const std::vector<std::string>& allow,
       }
       return;
     }
-    GrantAccess(scope, res);
+    GrantAccess(scope, PathResolve(env, {res}));
   }
 }
 

diff --git a/src/permission/fs_permission.h b/src/permission/fs_permission.h
@@ -15,7 +15,8 @@ namespace permission {
 
 class FSPermission final : public PermissionBase {
  public:
-  void Apply(const std::vector<std::string>& allow,
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
              PermissionScope scope) override;
   bool is_granted(PermissionScope perm,
                   const std::string_view& param) const override;

diff --git a/src/permission/inspector_permission.cc b/src/permission/inspector_permission.cc
@@ -8,7 +8,8 @@ namespace permission {
 
 // Currently, Inspector manage a single state
 // Once denied, it's always denied
-void InspectorPermission::Apply(const std::vector<std::string>& allow,
+void InspectorPermission::Apply(Environment* env,
+                                const std::vector<std::string>& allow,
                                 PermissionScope scope) {
   deny_all_ = true;
 }

diff --git a/src/permission/inspector_permission.h b/src/permission/inspector_permission.h
@@ -12,7 +12,8 @@ namespace permission {
 
 class InspectorPermission final : public PermissionBase {
  public:
-  void Apply(const std::vector<std::string>& allow,
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
              PermissionScope scope) override;
   bool is_granted(PermissionScope perm,
                   const std::string_view& param = "") const override;

diff --git a/src/permission/permission.cc b/src/permission/permission.cc
@@ -130,11 +130,12 @@ void Permission::EnablePermissions() {
   }
 }
 
-void Permission::Apply(const std::vector<std::string>& allow,
+void Permission::Apply(Environment* env,
+                       const std::vector<std::string>& allow,
                        PermissionScope scope) {
   auto permission = nodes_.find(scope);
   if (permission != nodes_.end()) {
-    permission->second->Apply(allow, scope);
+    permission->second->Apply(env, allow, scope);
   }
 }
 

diff --git a/src/permission/permission.h b/src/permission/permission.h
@@ -49,7 +49,9 @@ class Permission {
                                 const std::string_view& res);
 
   // CLI Call
-  void Apply(const std::vector<std::string>& allow, PermissionScope scope);
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
+             PermissionScope scope);
   void EnablePermissions();
 
  private:

diff --git a/src/permission/permission_base.h b/src/permission/permission_base.h
@@ -10,6 +10,8 @@
 
 namespace node {
 
+class Environment;
+
 namespace permission {
 
 #define FILESYSTEM_PERMISSIONS(V)                                              \
@@ -39,7 +41,8 @@ enum class PermissionScope {
 
 class PermissionBase {
  public:
-  virtual void Apply(const std::vector<std::string>& allow,
+  virtual void Apply(Environment* env,
+                     const std::vector<std::string>& allow,
                      PermissionScope scope) = 0;
   virtual bool is_granted(PermissionScope perm,
                           const std::string_view& param = "") const = 0;

diff --git a/src/permission/worker_permission.cc b/src/permission/worker_permission.cc
@@ -9,7 +9,8 @@ namespace permission {
 
 // Currently, PolicyDenyWorker manage a single state
 // Once denied, it's always denied
-void WorkerPermission::Apply(const std::vector<std::string>& allow,
+void WorkerPermission::Apply(Environment* env,
+                             const std::vector<std::string>& allow,
                              PermissionScope scope) {
   deny_all_ = true;
 }

diff --git a/src/permission/worker_permission.h b/src/permission/worker_permission.h
@@ -12,7 +12,8 @@ namespace permission {
 
 class WorkerPermission final : public PermissionBase {
  public:
-  void Apply(const std::vector<std::string>& allow,
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
              PermissionScope scope) override;
   bool is_granted(PermissionScope perm,
                   const std::string_view& param = "") const override;