src,permission: add multiple allow-fs-* flags #49047

Ceres6 · 2023-08-06T21:18:13Z

Breaking change: Support for a single comma separates list for allow-fs-* flags is removed.

This means that

--alow-fs-read=/path/to/file.txt,/other/file/path.txt

Will be interpreted as a single file.

When using a single flag and including commas in said flag a warning will be emitted explaining the change.

Instead now multiple flags can be passed to allow multiple paths.

--allow-fs-read=/path/to/file.txt --allow-fs-read=/other/file/path.txt

Will allow access to both paths.

Fixes: nodejs/security-wg#1039

nodejs-github-bot · 2023-08-06T21:18:17Z

Review requested:

@nodejs/security-wg

RafaelGSS

Can we have a test for the warning too?

doc/api/cli.md

lib/internal/process/pre_execution.js

src/node_options.h

Ceres6 · 2023-08-10T15:40:33Z

Can we have a test for the warning too?

@RafaelGSS We do have one https://github.com/nodejs/node/pull/49047/files#diff-5928310ee410bbccf3599140510e07ca18546548955f67505349fa1fef2d6b48R83

richardlau

Possibly add changes metadata to the YAML blocks? e.g.

changes:
  - version: REPLACEME
    pr-url: https://github.com/nodejs/node/pull/49047
    description: Paths delimited by comma (`,`) are no longer allowed.

richardlau · 2023-08-10T15:50:15Z

doc/api/cli.md

+* Multiple paths can be allowed using multiple `--allow-fs-read` flags.
+  Example `--allow-fs-read=/folder1/ --allow-fs-read=/folder1/`
+
+NOTE: Paths delimited by comma (`,`) are no longer allowed.


This could also be added as changes metadata in the YAML block above.

richardlau · 2023-08-10T15:50:38Z

doc/api/cli.md

+* Multiple paths can be allowed using multiple `--allow-fs-read` flags.
+  Example `--allow-fs-read=/folder1/ --allow-fs-read=/folder1/`
+
+Paths delimited by comma (`,`) are no longer allowed.


This could also be added as changes metadata in the YAML block above.

nodejs-github-bot · 2023-08-11T11:57:56Z

CI: https://ci.nodejs.org/job/node-test-pull-request/53186/

RafaelGSS

One import left

src/permission/fs_permission.cc

nodejs-github-bot · 2023-08-11T21:01:16Z

CI: https://ci.nodejs.org/job/node-test-pull-request/53210/

RafaelGSS · 2023-08-11T21:35:58Z

It seems the machines are broken. I'll wait a bit to request another CI.

nodejs-github-bot · 2023-08-12T15:17:40Z

CI: https://ci.nodejs.org/job/node-test-pull-request/53235/

Support for a single comma separates list for allow-fs-* flags is removed. Instead now multiple flags can be passed to allow multiple paths. Fixes: nodejs/security-wg#1039

Co-authored-by: Rafael Gonzaga <[email protected]>

Notable changes: crypto: * update root certificates to NSS 3.93 (Node.js GitHub Bot) #49341 doc: * move and rename loaders section (Geoffrey Booth) #49261 * add release key for Ulises Gascon (Ulises Gascón) #49196 lib: * (SEMVER-MINOR) add api to detect whether source-maps are enabled (翠 / green) #46391 src: * support multiple `--env-file` declarations (Yagiz Nizipli) #49542 src,permission: * add multiple allow-fs-* flags (Carlos Espa) #49047 test_runner: * (SEMVER-MINOR) expose location of tests (Colin Ihrig) #48975 PR-URL: #49592

Notable changes: crypto: * update root certificates to NSS 3.93 (Node.js GitHub Bot) #49341 deps: * upgrade npm to 10.0.0 (npm team) #49423 * upgrade npm to 10.1.0 (npm team) #49570 doc: * move and rename loaders section (Geoffrey Booth) #49261 * add release key for Ulises Gascon (Ulises Gascón) #49196 lib: * (SEMVER-MINOR) add api to detect whether source-maps are enabled (翠 / green) #46391 src: * support multiple `--env-file` declarations (Yagiz Nizipli) #49542 src,permission: * add multiple allow-fs-* flags (Carlos Espa) #49047 test_runner: * (SEMVER-MINOR) expose location of tests (Colin Ihrig) #48975 PR-URL: #49592

Notable changes: crypto: * update root certificates to NSS 3.93 (Node.js GitHub Bot) #49341 deps: * upgrade npm to 10.1.0 (npm team) #49570 * upgrade npm to 10.0.0 (npm team) #49423 doc: * move and rename loaders section (Geoffrey Booth) #49261 * add release key for Ulises Gascon (Ulises Gascón) #49196 lib: * (SEMVER-MINOR) add api to detect whether source-maps are enabled (翠 / green) #46391 src: * support multiple `--env-file` declarations (Yagiz Nizipli) #49542 src,permission: * add multiple allow-fs-* flags (Carlos Espa) #49047 test_runner: * (SEMVER-MINOR) expose location of tests (Colin Ihrig) #48975 PR-URL: #49592

Notable changes: crypto: * update root certificates to NSS 3.93 (Node.js GitHub Bot) nodejs#49341 deps: * upgrade npm to 10.1.0 (npm team) nodejs#49570 * upgrade npm to 10.0.0 (npm team) nodejs#49423 doc: * move and rename loaders section (Geoffrey Booth) nodejs#49261 * add release key for Ulises Gascon (Ulises Gascón) nodejs#49196 lib: * (SEMVER-MINOR) add api to detect whether source-maps are enabled (翠 / green) nodejs#46391 src: * support multiple `--env-file` declarations (Yagiz Nizipli) nodejs#49542 src,permission: * add multiple allow-fs-* flags (Carlos Espa) nodejs#49047 test_runner: * (SEMVER-MINOR) expose location of tests (Colin Ihrig) nodejs#48975 PR-URL: nodejs#49592

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: nodejs#48491 Refs: nodejs#49047

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: #48491 Refs: #49047 PR-URL: #50662 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Refs: nodejs#49047

Refs: #49047 PR-URL: #50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: #48491 Refs: #49047 PR-URL: #50662 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Refs: #49047 PR-URL: #50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: nodejs#48491 Refs: nodejs#49047 PR-URL: nodejs#50662 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Refs: nodejs#49047 PR-URL: nodejs#50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: nodejs#48491 Refs: nodejs#49047 PR-URL: nodejs#50662 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Refs: nodejs#49047 PR-URL: nodejs#50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: #48491 Refs: #49047 PR-URL: #50662 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Refs: #49047 PR-URL: #50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: #48491 Refs: #49047 PR-URL: #50662 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Refs: #49047 PR-URL: #50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: #48491 Refs: #49047 PR-URL: #50662 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Refs: #49047 PR-URL: #50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

The use of string_view and subsequent copying to a string was supposed to be a minor optimization in 640a7918, however, since 413c16e, no string splitting occurs anymore. Therefore, we can simply pass around some references instead of using string_view or copying strings. Refs: #48491 Refs: #49047 PR-URL: #50662 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Refs: #49047 PR-URL: #50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Aug 6, 2023

RafaelGSS reviewed Aug 10, 2023

View reviewed changes

tniessen added the permission Issues and PRs related to the Permission Model label Aug 10, 2023

richardlau reviewed Aug 10, 2023

View reviewed changes

Ceres6 requested review from richardlau and RafaelGSS August 10, 2023 21:22

RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Aug 11, 2023

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Aug 11, 2023

RafaelGSS reviewed Aug 11, 2023

View reviewed changes

src/permission/fs_permission.cc Outdated Show resolved Hide resolved

RafaelGSS added the commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. label Aug 11, 2023

Ceres6 requested a review from RafaelGSS August 11, 2023 16:34

RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Aug 11, 2023

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Aug 11, 2023

RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Aug 12, 2023

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Aug 12, 2023

This comment was marked as outdated.

Sign in to view

RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Aug 12, 2023

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Aug 12, 2023

Ceres6 and others added 4 commits August 12, 2023 21:36

src,permission: add multiple allow-fs-* flags

432f90a

Support for a single comma separates list for allow-fs-* flags is removed. Instead now multiple flags can be passed to allow multiple paths. Fixes: nodejs/security-wg#1039

fix tests

81ec076

Update doc/api/cli.md

a75b87d

Co-authored-by: Rafael Gonzaga <[email protected]>

Update lib/internal/process/pre_execution.js

10d1288

Co-authored-by: Rafael Gonzaga <[email protected]>

tniessen mentioned this pull request Nov 10, 2023

src: avoid copying strings in FSPermission::Apply #50662

Merged

tniessen added a commit to tniessen/node that referenced this pull request Nov 21, 2023

doc: fix typos in --allow-fs-*

1d8d220

Refs: nodejs#49047

tniessen mentioned this pull request Nov 21, 2023

doc: fix typos in --allow-fs-* #50845

Merged

targos pushed a commit that referenced this pull request Nov 23, 2023

doc: fix typos in --allow-fs-*

59541dc

Refs: #49047 PR-URL: #50845 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]> Reviewed-By: Deokjin Kim <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

src,permission: add multiple allow-fs-* flags #49047

src,permission: add multiple allow-fs-* flags #49047

Ceres6 commented Aug 6, 2023 •

edited

Loading

nodejs-github-bot commented Aug 6, 2023

RafaelGSS left a comment

Ceres6 commented Aug 10, 2023 •

edited

Loading

richardlau left a comment

richardlau Aug 10, 2023 •

edited

Loading

richardlau Aug 10, 2023 •

edited

Loading

nodejs-github-bot commented Aug 11, 2023

RafaelGSS left a comment

nodejs-github-bot commented Aug 11, 2023

RafaelGSS commented Aug 11, 2023

This comment was marked as outdated.

nodejs-github-bot commented Aug 12, 2023

src,permission: add multiple allow-fs-* flags #49047

src,permission: add multiple allow-fs-* flags #49047

Conversation

Ceres6 commented Aug 6, 2023 • edited Loading

nodejs-github-bot commented Aug 6, 2023

RafaelGSS left a comment

Choose a reason for hiding this comment

Ceres6 commented Aug 10, 2023 • edited Loading

richardlau left a comment

Choose a reason for hiding this comment

richardlau Aug 10, 2023 • edited Loading

Choose a reason for hiding this comment

richardlau Aug 10, 2023 • edited Loading

Choose a reason for hiding this comment

nodejs-github-bot commented Aug 11, 2023

RafaelGSS left a comment

Choose a reason for hiding this comment

nodejs-github-bot commented Aug 11, 2023

RafaelGSS commented Aug 11, 2023

This comment was marked as outdated.

nodejs-github-bot commented Aug 12, 2023

Ceres6 commented Aug 6, 2023 •

edited

Loading

Ceres6 commented Aug 10, 2023 •

edited

Loading

richardlau Aug 10, 2023 •

edited

Loading

richardlau Aug 10, 2023 •

edited

Loading