permission: do not throw on denied access in audit mode#64398
Closed
edsadr wants to merge 1 commit into
Closed
Conversation
The THROW_IF_INSUFFICIENT_PERMISSIONS and ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS macros called ThrowAccessDenied/AsyncThrowAccessDenied unconditionally, then only guarded the `return` with `warning_only()`. As a result, running with `--permission-audit` still threw ERR_ACCESS_DENIED on any denied operation (fs, net, child_process, worker, addon, ffi, inspector, wasi), defeating the audit-only purpose of the flag. Move the throw/reject inside the `!warning_only()` branch so that, in audit mode, the diagnostics-channel message is published (already done in Permission::is_scope_granted) and execution continues; in enforce mode (`--permission`), behavior is unchanged — the error is thrown and the call returns. Refs: nodejs@9ddd1a9 Signed-off-by: Adrian Estrada <edsadr@gmail.com>
Collaborator
|
Review requested:
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #64398 +/- ##
=======================================
Coverage 90.25% 90.25%
=======================================
Files 741 741
Lines 241207 241207
Branches 45430 45424 -6
=======================================
+ Hits 217698 217704 +6
+ Misses 15084 15068 -16
- Partials 8425 8435 +10
🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--permission-auditis intended to be an observe-only mode: it publishesdenial events to the
node:permission-model:*diagnostics channels withoutblocking the operation. Only
--permission(enforce mode) should throwERR_ACCESS_DENIED.The two C++ macros that gate every denied call site
(
THROW_IF_INSUFFICIENT_PERMISSIONSfor sync paths,ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONSfor async paths) insrc/permission/permission.hwere structured as:ThrowAccessDeniedraises the V8 exception unconditionally — before thewarning_only()check. So in--permission-auditmode (wherewarning_only_=true, set insrc/env.cc) the exception is still thrown,defeating the audit-only purpose of the flag. The diagnostics message is
published correctly (that happens inside
Permission::is_scope_granted), butthen the API call wrongly throws instead of continuing.
This moves the throw/reject inside the
!warning_only()branch for both macros.In audit mode, the diagnostics-channel message is published and execution
continues; in enforce mode (
--permission), behavior is unchanged.Repro
Affected scopes
Every permission scope, both sync and async call sites — fs read/write, net,
child_process, worker, addon, ffi, inspector, wasi.
Refs: 9ddd1a9