From e44db4d109887ceb38b95f2e72869cda45d760b2 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Wed, 26 Jul 2023 15:32:03 -0300
Subject: [PATCH] src,permission: restrict by default when pm enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs/node/pull/48907
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
---
 src/env.cc                                 | 20 +++++++++-----------
 test/parallel/test-permission-inspector.js | 16 +++++++++++++++-
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/src/env.cc b/src/env.cc
index bcac86e85b732e..cc0c7b2642c106 100644
--- a/src/env.cc
+++ b/src/env.cc
@@ -844,19 +844,17 @@ Environment::Environment(IsolateData* isolate_data,
 
   if (options_->experimental_permission) {
     permission()->EnablePermissions();
-    // If any permission is set the process shouldn't be able to neither
+    // The process shouldn't be able to neither
     // spawn/worker nor use addons or enable inspector
     // unless explicitly allowed by the user
-    if (!options_->allow_fs_read.empty() || !options_->allow_fs_write.empty()) {
-      options_->allow_native_addons = false;
-      flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
-      permission()->Apply("*", permission::PermissionScope::kInspector);
-      if (!options_->allow_child_process) {
-        permission()->Apply("*", permission::PermissionScope::kChildProcess);
-      }
-      if (!options_->allow_worker_threads) {
-        permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
-      }
+    options_->allow_native_addons = false;
+    flags_ = flags_ | EnvironmentFlags::kNoCreateInspector;
+    permission()->Apply("*", permission::PermissionScope::kInspector);
+    if (!options_->allow_child_process) {
+      permission()->Apply("*", permission::PermissionScope::kChildProcess);
+    }
+    if (!options_->allow_worker_threads) {
+      permission()->Apply("*", permission::PermissionScope::kWorkerThreads);
     }
 
     if (!options_->allow_fs_read.empty()) {
diff --git a/test/parallel/test-permission-inspector.js b/test/parallel/test-permission-inspector.js
index f9d2ce53639945..d4afd8d93bc2f7 100644
--- a/test/parallel/test-permission-inspector.js
+++ b/test/parallel/test-permission-inspector.js
@@ -1,4 +1,4 @@
-// Flags: --experimental-permission --allow-fs-read=*
+// Flags: --experimental-permission --allow-fs-read=* --allow-child-process
 'use strict';
 
 const common = require('../common');
@@ -7,6 +7,7 @@ common.skipIfInspectorDisabled();
 
 const { Session } = require('inspector');
 const assert = require('assert');
+const { spawnSync } = require('child_process');
 
 if (!common.hasCrypto)
   common.skip('no crypto');
@@ -20,3 +21,16 @@ if (!common.hasCrypto)
     permission: 'Inspector',
   }));
 }
+
+{
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      '-e',
+      '(new (require("inspector")).Session()).connect()',
+    ],
+  );
+  assert.strictEqual(status, 1);
+  assert.match(stderr.toString(), /Error: Access to this API has been restricted/);
+}