From b5afe84d24ddae062572c142d9e1de9d11572f5a Mon Sep 17 00:00:00 2001 From: theanarkh Date: Tue, 11 Jun 2024 02:35:55 +0800 Subject: [PATCH] src: fix permission inspector crash PR-URL: https://github.com/nodejs/node/pull/53389 Fixes: https://github.com/nodejs/node/issues/53385 Reviewed-By: Yagiz Nizipli Reviewed-By: Rafael Gonzaga Reviewed-By: Moshe Atlow Reviewed-By: Kohei Ueno --- src/inspector_js_api.cc | 3 ++ src/node_contextify.cc | 15 +++++++ test/fixtures/permission/inspector-brk.js | 1 + .../parallel/test-permission-inspector-brk.js | 41 +++++++++++++++++++ 4 files changed, 60 insertions(+) create mode 100644 test/fixtures/permission/inspector-brk.js create mode 100644 test/parallel/test-permission-inspector-brk.js diff --git a/src/inspector_js_api.cc b/src/inspector_js_api.cc index 0a2d9e2ec84b08..fec9de840ef59e 100644 --- a/src/inspector_js_api.cc +++ b/src/inspector_js_api.cc @@ -181,6 +181,9 @@ void SetConsoleExtensionInstaller(const FunctionCallbackInfo& info) { void CallAndPauseOnStart(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); + THROW_IF_INSUFFICIENT_PERMISSIONS(env, + permission::PermissionScope::kInspector, + "PauseOnNextJavascriptStatement"); CHECK_GT(args.Length(), 1); CHECK(args[0]->IsFunction()); SlicedArguments call_args(args, /* start */ 2); diff --git a/src/node_contextify.cc b/src/node_contextify.cc index ca8575e9a21b9a..d873792ab95e41 100644 --- a/src/node_contextify.cc +++ b/src/node_contextify.cc @@ -1082,6 +1082,21 @@ bool ContextifyScript::EvalMachine(Local context, #if HAVE_INSPECTOR if (break_on_first_line) { + if (UNLIKELY(!env->permission()->is_granted( + env, + permission::PermissionScope::kInspector, + "PauseOnNextJavascriptStatement"))) { + node::permission::Permission::ThrowAccessDenied( + env, + permission::PermissionScope::kInspector, + "PauseOnNextJavascriptStatement"); + if (display_errors) { + // We should decorate non-termination exceptions + errors::DecorateErrorStack(env, try_catch); + } + try_catch.ReThrow(); + return false; + } env->inspector_agent()->PauseOnNextJavascriptStatement("Break on start"); } #endif diff --git a/test/fixtures/permission/inspector-brk.js b/test/fixtures/permission/inspector-brk.js new file mode 100644 index 00000000000000..98aca6106293d6 --- /dev/null +++ b/test/fixtures/permission/inspector-brk.js @@ -0,0 +1 @@ +console.log("Hi!") diff --git a/test/parallel/test-permission-inspector-brk.js b/test/parallel/test-permission-inspector-brk.js new file mode 100644 index 00000000000000..e1bd8e9bbb0a34 --- /dev/null +++ b/test/parallel/test-permission-inspector-brk.js @@ -0,0 +1,41 @@ +'use strict'; + +const common = require('../common'); +const assert = require('assert'); +const { spawnSync } = require('child_process'); +const fixtures = require('../common/fixtures'); +const file = fixtures.path('permission', 'inspector-brk.js'); + +common.skipIfWorker(); +common.skipIfInspectorDisabled(); + +// See https://github.com/nodejs/node/issues/53385 +{ + const { status, stderr } = spawnSync( + process.execPath, + [ + '--experimental-permission', + '--allow-fs-read=*', + '--inspect-brk', + file, + ], + ); + + assert.strictEqual(status, 1); + assert.match(stderr.toString(), /Error: Access to this API has been restricted/); +} + +{ + const { status, stderr } = spawnSync( + process.execPath, + [ + '--experimental-permission', + '--inspect-brk', + '--eval', + 'console.log("Hi!")', + ], + ); + + assert.strictEqual(status, 1); + assert.match(stderr.toString(), /Error: Access to this API has been restricted/); +}