Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Experimental permission wildcards seem to not be additive #50659

Closed
jellelicht opened this issue Nov 10, 2023 · 0 comments · Fixed by #51209
Closed

Experimental permission wildcards seem to not be additive #50659

jellelicht opened this issue Nov 10, 2023 · 0 comments · Fixed by #51209
Labels
permission Issues and PRs related to the Permission Model

Comments

@jellelicht
Copy link

jellelicht commented Nov 10, 2023
edited
Loading

Version

v20.9.0

Platform

Linux revint 6.5.9 #1 SMP PREEMPT_DYNAMIC 1 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Running the following:

node --experimental-permission --allow-fs-read="/a/b/*" --allow-fs-read=/a/b/d  -e "require('fs').readFile('/a/b/c', () => undefined);"

How often does it reproduce? Is there a required condition?

Consistently. The order of --allow-fs-read arguments does not seem to matter.

What is the expected behavior? Why is that the expected behavior?

One would assume, perhaps naively, that wildcards are additive to other/existing entries.

What do you see instead?

... will fail with:

node:fs:385
  binding.open(pathModule.toNamespacedPath(path),
          ^

Error: Access to this API has been restricted
    at Object.readFile (node:fs:385:11)
    at [eval]:1:15
    at Script.runInThisContext (node:vm:122:12)
    at Object.runInThisContext (node:vm:296:38)
    at node:internal/process/execution:83:21
    at [eval]-wrapper:6:24
    at runScript (node:internal/process/execution:82:62)
    at evalScript (node:internal/process/execution:104:10)
    at node:internal/main/eval_string:50:3 {
  code: 'ERR_ACCESS_DENIED',
  permission: 'FileSystemRead',
  resource: '/a/b/c'
}

Node.js v20.9.0

Additional information

This issue was found while trying to run Node's testsuite while building node itself in a subdirectory of /tmp.

The offending test:
/tmp/node-v20.9.0/test/parallel/test-permission-fs-wildcard.js
@marco-ippolito marco-ippolito added the permission Issues and PRs related to the Permission Model label Nov 12, 2023
@RafaelGSS RafaelGSS mentioned this issue Dec 18, 2023
Merged
nodejs-github-bot pushed a commit that referenced this issue Dec 21, 2023
@RafaelGSS
permission: fix wildcard when children > 1
3f2e234 
PR-URL: #51209
Fixes: #50659
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Rich Trott <rtrott@gmail.com>
RafaelGSS added a commit that referenced this issue Jan 2, 2024
@RafaelGSS
permission: fix wildcard when children > 1
8f4325d 
PR-URL: #51209
Fixes: #50659
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
permission Issues and PRs related to the Permission Model
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

permission: fix wildcard when children > 1 RafaelGSS/node
2 participants
@jellelicht @marco-ippolito