Skip to content

src,permission: do not throw on denied access in audit mode#64426

Open
edsadr wants to merge 1 commit into
nodejs:mainfrom
edsadr:permission-audit-no-throw
Open

src,permission: do not throw on denied access in audit mode#64426
edsadr wants to merge 1 commit into
nodejs:mainfrom
edsadr:permission-audit-no-throw

Conversation

@edsadr

@edsadr edsadr commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

The THROW_IF_INSUFFICIENT_PERMISSIONS and
ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS macros called ThrowAccessDenied/AsyncThrowAccessDenied unconditionally and only guarded the return with warning_only().
ERR_ACCESS_DENIED_IF_INSUFFICIENT_PERMISSIONS had no warning_only() guard at all — it always set the access-denied error and returned. As a result, running with --permission-audit still produced ERR_ACCESS_DENIED on any denied operation (fs, net, child_process, worker, addon, ffi, inspector, wasi), defeating the audit-only purpose of the flag.

Guard the denied-error path behind !warning_only() in all three macros. In audit mode, the diagnostics-channel message is published (already done in Permission::is_scope_granted) and execution continues; in enforce mode (--permission), behavior is unchanged — the error is raised and the call returns.

The tests cover both the direct (top-level) call and an eval()-wrapped call: the direct call exercises the normal script path, and the eval()-wrapped call exercises the V8 script-context boundary (the diagnostics subscriber is registered in the outer module context while the denied operation runs inside an eval'd string).

Refs: 9ddd1a9

The THROW_IF_INSUFFICIENT_PERMISSIONS and
ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS macros called
ThrowAccessDenied/AsyncThrowAccessDenied unconditionally and only
guarded the `return` with `warning_only()`.
ERR_ACCESS_DENIED_IF_INSUFFICIENT_PERMISSIONS had no `warning_only()`
guard at all — it always set the access-denied error and returned.
As a result, running with `--permission-audit` still produced
ERR_ACCESS_DENIED on any denied operation (fs, net, child_process,
worker, addon, ffi, inspector, wasi), defeating the audit-only purpose
of the flag.

Guard the denied-error path behind `!warning_only()` in all three
macros. In audit mode, the diagnostics-channel message is published
(already done in Permission::is_scope_granted) and execution continues;
in enforce mode (`--permission`), behavior is unchanged — the error is
raised and the call returns.

The tests cover both the direct (top-level) call and an `eval()`-wrapped
call: the direct call exercises the normal script path, and the
`eval()`-wrapped call exercises the V8 script-context boundary (the
diagnostics subscriber is registered in the outer module context while
the denied operation runs inside an eval'd string).

Refs: nodejs@9ddd1a9
Signed-off-by: Adrian Estrada <edsadr@gmail.com>
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. labels Jul 11, 2026
@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.24%. Comparing base (8fec65d) to head (bf78f9b).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #64426      +/-   ##
==========================================
- Coverage   90.25%   90.24%   -0.01%     
==========================================
  Files         741      741              
  Lines      241207   241384     +177     
  Branches    45430    45479      +49     
==========================================
+ Hits       217698   217848     +150     
- Misses      15084    15087       +3     
- Partials     8425     8449      +24     
Files with missing lines Coverage Δ
src/permission/permission.h 100.00% <ø> (ø)

... and 31 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants