nodejs/test/parallel/test-permission-fs-require.js

// Flags: --permission --allow-fs-read=* --allow-child-process
'use strict';

const common = require('../common');

const { isMainThread } = require('worker_threads');

if (!isMainThread) {
  common.skip('This test only works on a main thread');
}

const fixtures = require('../common/fixtures');

const assert = require('node:assert');
const { spawnSync } = require('node:child_process');

{
  const mainModule = fixtures.path('permission', 'main-module.js');
  const requiredModule = fixtures.path('permission', 'required-module.js');
  const { status, stdout, stderr } = spawnSync(
    process.execPath,
    [
      '--permission',
      '--allow-fs-read', mainModule,
      '--allow-fs-read', requiredModule,
      mainModule,
    ]
  );

  assert.strictEqual(status, 0, stderr.toString());
  assert.strictEqual(stdout.toString(), 'ok\n');
}

{
  // When required module is not passed as allowed path
  const mainModule = fixtures.path('permission', 'main-module.js');
  const { status, stderr } = spawnSync(
    process.execPath,
    [
      '--permission',
      '--allow-fs-read', mainModule,
      mainModule,
    ]
  );

  assert.strictEqual(status, 1, stderr.toString());
  assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
}

{
  // ESM loader test
  const mainModule = fixtures.path('permission', 'main-module.mjs');
  const requiredModule = fixtures.path('permission', 'required-module.mjs');
  const { status, stdout, stderr } = spawnSync(
    process.execPath,
    [
      '--permission',
      '--allow-fs-read', mainModule,
      '--allow-fs-read', requiredModule,
      mainModule,
    ]
  );

  assert.strictEqual(status, 0, stderr.toString());
  assert.strictEqual(stdout.toString(), 'ok\n');
}

{
  // When required module is not passed as allowed path (ESM)
  const mainModule = fixtures.path('permission', 'main-module.mjs');
  const { status, stderr } = spawnSync(
    process.execPath,
    [
      '--permission',
      '--allow-fs-read', mainModule,
      mainModule,
    ]
  );

  assert.strictEqual(status, 1, stderr.toString());
  assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
}
src,lib: stabilize permission model Move permission model from 1.1 (Active Development) to 2.0 (Stable). PR-URL: https://github.com/nodejs/node/pull/56201 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> 2024-12-12 09:11:58 -03:00			`// Flags: --permission --allow-fs-read=* --allow-child-process`
permission: ignore internalModuleStat on module loading This improves Permission Model usage when allowing read access to specifi modules. To achieve that, the permission model check on internalModuleStat has been removed meaning that on module loading, uv_fs_stat is performed on files and folders even when the permission model is enabled. Although a uv_fs_stat is performed, reading/executing the module will still pass by the permission model check. Without this PR when an app tries to --allow-fs-read=./a.js --allow-fs-read=./b.js where `a` attempt to load b, it will fails as it reads $pwd and no permission has been given to this path. PR-URL: https://github.com/nodejs/node/pull/55797 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> 2024-11-11 14:31:44 -03:00			`'use strict';`

			`const common = require('../common');`
test: rely less on duplicative common test harness utilities There are several cleanups here that are not just style nits... 1. The `common.isMainThread` was just a passthrough to the `isMainThread` export on the worker_thread module. It's use was inconsistent and just obfuscated the fact that the test file depend on the `worker_threads` built-in. By eliminating it we simplify the test harness a bit and make it clearer which tests depend on the worker_threads check. 2. The `common.isDumbTerminal` is fairly unnecesary since that just wraps a public API check. 3. Several of the `common.skipIf....` checks were inconsistently used and really don't need to be separate utility functions. A key part of the motivation here is to work towards making more of the tests more self-contained and less reliant on the common test harness where possible. PR-URL: https://github.com/nodejs/node/pull/56712 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> 2025-01-22 14:19:38 -08:00
			`const { isMainThread } = require('worker_threads');`

			`if (!isMainThread) {`
			`common.skip('This test only works on a main thread');`
			`}`

permission: ignore internalModuleStat on module loading This improves Permission Model usage when allowing read access to specifi modules. To achieve that, the permission model check on internalModuleStat has been removed meaning that on module loading, uv_fs_stat is performed on files and folders even when the permission model is enabled. Although a uv_fs_stat is performed, reading/executing the module will still pass by the permission model check. Without this PR when an app tries to --allow-fs-read=./a.js --allow-fs-read=./b.js where `a` attempt to load b, it will fails as it reads $pwd and no permission has been given to this path. PR-URL: https://github.com/nodejs/node/pull/55797 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> 2024-11-11 14:31:44 -03:00			`const fixtures = require('../common/fixtures');`

			`const assert = require('node:assert');`
			`const { spawnSync } = require('node:child_process');`

			`{`
			`const mainModule = fixtures.path('permission', 'main-module.js');`
			`const requiredModule = fixtures.path('permission', 'required-module.js');`
			`const { status, stdout, stderr } = spawnSync(`
			`process.execPath,`
			`[`
src,lib: stabilize permission model Move permission model from 1.1 (Active Development) to 2.0 (Stable). PR-URL: https://github.com/nodejs/node/pull/56201 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> 2024-12-12 09:11:58 -03:00			`'--permission',`
permission: ignore internalModuleStat on module loading This improves Permission Model usage when allowing read access to specifi modules. To achieve that, the permission model check on internalModuleStat has been removed meaning that on module loading, uv_fs_stat is performed on files and folders even when the permission model is enabled. Although a uv_fs_stat is performed, reading/executing the module will still pass by the permission model check. Without this PR when an app tries to --allow-fs-read=./a.js --allow-fs-read=./b.js where `a` attempt to load b, it will fails as it reads $pwd and no permission has been given to this path. PR-URL: https://github.com/nodejs/node/pull/55797 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> 2024-11-11 14:31:44 -03:00			`'--allow-fs-read', mainModule,`
			`'--allow-fs-read', requiredModule,`
			`mainModule,`
			`]`
			`);`

			`assert.strictEqual(status, 0, stderr.toString());`
			`assert.strictEqual(stdout.toString(), 'ok\n');`
			`}`

			`{`
			`// When required module is not passed as allowed path`
			`const mainModule = fixtures.path('permission', 'main-module.js');`
			`const { status, stderr } = spawnSync(`
			`process.execPath,`
			`[`
src,lib: stabilize permission model Move permission model from 1.1 (Active Development) to 2.0 (Stable). PR-URL: https://github.com/nodejs/node/pull/56201 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> 2024-12-12 09:11:58 -03:00			`'--permission',`
permission: ignore internalModuleStat on module loading This improves Permission Model usage when allowing read access to specifi modules. To achieve that, the permission model check on internalModuleStat has been removed meaning that on module loading, uv_fs_stat is performed on files and folders even when the permission model is enabled. Although a uv_fs_stat is performed, reading/executing the module will still pass by the permission model check. Without this PR when an app tries to --allow-fs-read=./a.js --allow-fs-read=./b.js where `a` attempt to load b, it will fails as it reads $pwd and no permission has been given to this path. PR-URL: https://github.com/nodejs/node/pull/55797 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> 2024-11-11 14:31:44 -03:00			`'--allow-fs-read', mainModule,`
			`mainModule,`
			`]`
			`);`

			`assert.strictEqual(status, 1, stderr.toString());`
			`assert.match(stderr.toString(), /Error: Access to this API has been restricted/);`
			`}`

			`{`
			`// ESM loader test`
			`const mainModule = fixtures.path('permission', 'main-module.mjs');`
			`const requiredModule = fixtures.path('permission', 'required-module.mjs');`
			`const { status, stdout, stderr } = spawnSync(`
			`process.execPath,`
			`[`
src,lib: stabilize permission model Move permission model from 1.1 (Active Development) to 2.0 (Stable). PR-URL: https://github.com/nodejs/node/pull/56201 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> 2024-12-12 09:11:58 -03:00			`'--permission',`
permission: ignore internalModuleStat on module loading This improves Permission Model usage when allowing read access to specifi modules. To achieve that, the permission model check on internalModuleStat has been removed meaning that on module loading, uv_fs_stat is performed on files and folders even when the permission model is enabled. Although a uv_fs_stat is performed, reading/executing the module will still pass by the permission model check. Without this PR when an app tries to --allow-fs-read=./a.js --allow-fs-read=./b.js where `a` attempt to load b, it will fails as it reads $pwd and no permission has been given to this path. PR-URL: https://github.com/nodejs/node/pull/55797 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> 2024-11-11 14:31:44 -03:00			`'--allow-fs-read', mainModule,`
			`'--allow-fs-read', requiredModule,`
			`mainModule,`
			`]`
			`);`

			`assert.strictEqual(status, 0, stderr.toString());`
			`assert.strictEqual(stdout.toString(), 'ok\n');`
			`}`

			`{`
			`// When required module is not passed as allowed path (ESM)`
			`const mainModule = fixtures.path('permission', 'main-module.mjs');`
			`const { status, stderr } = spawnSync(`
			`process.execPath,`
			`[`
src,lib: stabilize permission model Move permission model from 1.1 (Active Development) to 2.0 (Stable). PR-URL: https://github.com/nodejs/node/pull/56201 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> 2024-12-12 09:11:58 -03:00			`'--permission',`
permission: ignore internalModuleStat on module loading This improves Permission Model usage when allowing read access to specifi modules. To achieve that, the permission model check on internalModuleStat has been removed meaning that on module loading, uv_fs_stat is performed on files and folders even when the permission model is enabled. Although a uv_fs_stat is performed, reading/executing the module will still pass by the permission model check. Without this PR when an app tries to --allow-fs-read=./a.js --allow-fs-read=./b.js where `a` attempt to load b, it will fails as it reads $pwd and no permission has been given to this path. PR-URL: https://github.com/nodejs/node/pull/55797 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> 2024-11-11 14:31:44 -03:00			`'--allow-fs-read', mainModule,`
			`mainModule,`
			`]`
			`);`

			`assert.strictEqual(status, 1, stderr.toString());`
			`assert.match(stderr.toString(), /Error: Access to this API has been restricted/);`
			`}`