Skip to content

Commit 71e857f

Browse files
RafaelGSSjuanarbol
authored andcommitted
src,permission: add --allow-inspector ability
Refs: #48534 PR-URL: #59711 Backport-PR-URL: #60248 Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
1 parent 99cdcc3 commit 71e857f

13 files changed

Lines changed: 110 additions & 4 deletions

doc/api/cli.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -271,6 +271,36 @@ When passing a single flag with a comma a warning will be displayed.
271271

272272
Examples can be found in the [File System Permissions][] documentation.
273273

274+
### `--allow-inspector`
275+
276+
<!-- YAML
277+
added: REPLACEME
278+
-->
279+
280+
> Stability: 1.0 - Early development
281+
282+
When using the [Permission Model][], the process will not be able to connect
283+
through inspector protocol.
284+
285+
Attempts to do so will throw an `ERR_ACCESS_DENIED` unless the
286+
user explicitly passes the `--allow-inspector` flag when starting Node.js.
287+
288+
Example:
289+
290+
```js
291+
const { Session } = require('node:inspector/promises');
292+
293+
const session = new Session();
294+
session.connect();
295+
```
296+
297+
```console
298+
$ node --permission index.js
299+
Error: connect ERR_ACCESS_DENIED Access to this API has been restricted. Use --allow-inspector to manage permissions.
300+
code: 'ERR_ACCESS_DENIED',
301+
}
302+
```
303+
274304
### `--allow-wasi`
275305

276306
<!-- YAML
@@ -3368,6 +3398,7 @@ one is included in the list below.
33683398
* `--allow-child-process`
33693399
* `--allow-fs-read`
33703400
* `--allow-fs-write`
3401+
* `--allow-inspector`
33713402
* `--allow-wasi`
33723403
* `--allow-worker`
33733404
* `--conditions`, `-C`

doc/node-config-schema.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,9 @@
4545
}
4646
]
4747
},
48+
"allow-inspector": {
49+
"type": "boolean"
50+
},
4851
"allow-wasi": {
4952
"type": "boolean"
5053
},

doc/node.1

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,9 @@ Allow using native addons when using the permission model.
8585
.It Fl -allow-child-process
8686
Allow spawning process when using the permission model.
8787
.
88+
.It Fl -allow-inspector
89+
Allow inspector access when using the permission model.
90+
.
8891
.It Fl -allow-wasi
8992
Allow execution of WASI when using the permission model.
9093
.

lib/internal/process/permission.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ module.exports = ObjectFreeze({
3939
'--allow-fs-write',
4040
'--allow-addons',
4141
'--allow-child-process',
42+
'--allow-inspector',
4243
'--allow-wasi',
4344
'--allow-worker',
4445
];

lib/internal/process/pre_execution.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -650,6 +650,7 @@ function initializePermission() {
650650
const warnFlags = [
651651
'--allow-addons',
652652
'--allow-child-process',
653+
'--allow-inspector',
653654
'--allow-wasi',
654655
'--allow-worker',
655656
];

src/env.cc

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -936,8 +936,10 @@ Environment::Environment(IsolateData* isolate_data,
936936
options_->allow_native_addons = false;
937937
permission()->Apply(this, {"*"}, permission::PermissionScope::kAddon);
938938
}
939-
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
940-
permission()->Apply(this, {"*"}, permission::PermissionScope::kInspector);
939+
if (!options_->allow_inspector) {
940+
flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
941+
permission()->Apply(this, {"*"}, permission::PermissionScope::kInspector);
942+
}
941943
if (!options_->allow_child_process) {
942944
permission()->Apply(
943945
this, {"*"}, permission::PermissionScope::kChildProcess);

src/node_options.cc

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
554554
"allow use of child process when any permissions are set",
555555
&EnvironmentOptions::allow_child_process,
556556
kAllowedInEnvvar);
557+
AddOption("--allow-inspector",
558+
"allow use of inspector when any permissions are set",
559+
&EnvironmentOptions::allow_inspector,
560+
kAllowedInEnvvar);
557561
AddOption("--allow-wasi",
558562
"allow wasi when any permissions are set",
559563
&EnvironmentOptions::allow_wasi,

src/node_options.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -139,6 +139,7 @@ class EnvironmentOptions : public Options {
139139
std::vector<std::string> allow_fs_read;
140140
std::vector<std::string> allow_fs_write;
141141
bool allow_addons = false;
142+
bool allow_inspector = false;
142143
bool allow_child_process = false;
143144
bool allow_wasi = false;
144145
bool allow_worker_threads = false;

src/permission/permission_base.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,8 @@ namespace permission {
2727
#define WORKER_THREADS_PERMISSIONS(V) \
2828
V(WorkerThreads, "worker", PermissionsRoot, "--allow-worker")
2929

30-
#define INSPECTOR_PERMISSIONS(V) V(Inspector, "inspector", PermissionsRoot, "")
30+
#define INSPECTOR_PERMISSIONS(V) \
31+
V(Inspector, "inspector", PermissionsRoot, "--allow-inspector")
3132

3233
#define ADDON_PERMISSIONS(V) \
3334
V(Addon, "addon", PermissionsRoot, "--allow-addons")

test/common/index.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -330,6 +330,9 @@ if (hasCrypto) {
330330
knownGlobals.add(globalThis.SubtleCrypto);
331331
}
332332

333+
const { Worker } = require('node:worker_threads');
334+
knownGlobals.add(Worker);
335+
333336
function allowGlobals(...allowlist) {
334337
for (const val of allowlist) {
335338
knownGlobals.add(val);

0 commit comments

Comments
 (0)