nodejs/test/parallel/test-permission-allow-child-process-cli.js

// Flags: --permission --allow-child-process --allow-fs-read=*
'use strict';

const common = require('../common');

const { isMainThread } = require('worker_threads');

if (!isMainThread) {
  common.skip('This test only works on a main thread');
}

const assert = require('assert');
const childProcess = require('child_process');
const fs = require('fs');

if (process.argv[2] === 'child') {
  assert.throws(() => {
    fs.writeFileSync(__filename, 'should not write');
  }, common.expectsError({
    code: 'ERR_ACCESS_DENIED',
    permission: 'FileSystemWrite',
  }));
  process.exit(0);
}

// Guarantee the initial state
{
  assert.ok(process.permission.has('child'));
}

// When a permission is set by cli, the process shouldn't be able
// to spawn unless --allow-child-process is sent
{
  // doesNotThrow
  childProcess.spawnSync(process.execPath, ['--version']);
  childProcess.execSync(...common.escapePOSIXShell`"${process.execPath}" --version`);
  const child = childProcess.fork(__filename, ['child']);
  child.on('close', common.mustCall());
  childProcess.execFileSync(process.execPath, ['--version']);
}
src,lib: stabilize permission model Move permission model from 1.1 (Active Development) to 2.0 (Stable). PR-URL: https://github.com/nodejs/node/pull/56201 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> 2024-12-12 09:11:58 -03:00			`// Flags: --permission --allow-child-process --allow-fs-read=*`
src,process: add permission model Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: https://github.com/nodejs/node/pull/44004 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 2023-02-23 15:11:51 -03:00			`'use strict';`

			`const common = require('../common');`
test: rely less on duplicative common test harness utilities There are several cleanups here that are not just style nits... 1. The `common.isMainThread` was just a passthrough to the `isMainThread` export on the worker_thread module. It's use was inconsistent and just obfuscated the fact that the test file depend on the `worker_threads` built-in. By eliminating it we simplify the test harness a bit and make it clearer which tests depend on the worker_threads check. 2. The `common.isDumbTerminal` is fairly unnecesary since that just wraps a public API check. 3. Several of the `common.skipIf....` checks were inconsistently used and really don't need to be separate utility functions. A key part of the motivation here is to work towards making more of the tests more self-contained and less reliant on the common test harness where possible. PR-URL: https://github.com/nodejs/node/pull/56712 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> 2025-01-22 14:19:38 -08:00
			`const { isMainThread } = require('worker_threads');`

			`if (!isMainThread) {`
			`common.skip('This test only works on a main thread');`
			`}`

src,process: add permission model Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: https://github.com/nodejs/node/pull/44004 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 2023-02-23 15:11:51 -03:00			`const assert = require('assert');`
			`const childProcess = require('child_process');`
test: clarify fork inherit permission flags This commit updates the documentation and includes a test to ensure that permission model flags will be passed to the child process if `fork` is called PR-URL: https://github.com/nodejs/node/pull/56523 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2025-01-11 18:11:16 -03:00			`const fs = require('fs');`
src,process: add permission model Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: https://github.com/nodejs/node/pull/44004 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 2023-02-23 15:11:51 -03:00
			`if (process.argv[2] === 'child') {`
test: clarify fork inherit permission flags This commit updates the documentation and includes a test to ensure that permission model flags will be passed to the child process if `fork` is called PR-URL: https://github.com/nodejs/node/pull/56523 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2025-01-11 18:11:16 -03:00			`assert.throws(() => {`
			`fs.writeFileSync(__filename, 'should not write');`
			`}, common.expectsError({`
			`code: 'ERR_ACCESS_DENIED',`
			`permission: 'FileSystemWrite',`
			`}));`
src,process: add permission model Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: https://github.com/nodejs/node/pull/44004 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 2023-02-23 15:11:51 -03:00			`process.exit(0);`
			`}`

			`// Guarantee the initial state`
			`{`
			`assert.ok(process.permission.has('child'));`
			`}`

			`// When a permission is set by cli, the process shouldn't be able`
			`// to spawn unless --allow-child-process is sent`
			`{`
			`// doesNotThrow`
			`childProcess.spawnSync(process.execPath, ['--version']);`
test: add `escapePOSIXShell` util PR-URL: https://github.com/nodejs/node/pull/55125 Reviewed-By: Jacob Smith <jacob@frende.me> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: LiviaMedeiros <livia@cirno.name> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> 2024-09-29 22:44:52 +02:00			childProcess.execSync(...common.escapePOSIXShell`"${process.execPath}" --version`);
test: clarify fork inherit permission flags This commit updates the documentation and includes a test to ensure that permission model flags will be passed to the child process if `fork` is called PR-URL: https://github.com/nodejs/node/pull/56523 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2025-01-11 18:11:16 -03:00			`const child = childProcess.fork(__filename, ['child']);`
			`child.on('close', common.mustCall());`
src,process: add permission model Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: https://github.com/nodejs/node/pull/44004 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 2023-02-23 15:11:51 -03:00			`childProcess.execFileSync(process.execPath, ['--version']);`
			`}`