lib: handle --permission-audit when propagating flags

RafaelGSS · RafaelGSS · commit 93676222fc04 · 2026-04-30T08:39:45.000-03:00
Signed-off-by: RafaelGSS &lt;rafael.nunu@hotmail.com&gt;
diff --git a/lib/child_process.js b/lib/child_process.js
@@ -549,7 +549,8 @@ function getPermissionModelFlagsToCopy() {
 
 function copyPermissionModelFlagsToEnv(env, key, args) {
   // Do not override if permission was already passed to file
-  if (args.includes('--permission') || (env[key] && env[key].indexOf('--permission') !== -1)) {
+  if (args.includes('--permission') || args.includes('--permission-audit') ||
+      (env[key] && env[key].indexOf('--permission') !== -1)) {
     return;
   }
 
diff --git a/lib/ffi.js b/lib/ffi.js
@@ -61,7 +61,11 @@ DynamicLibrary.prototype[SymbolDispose] = function() {
 };
 
 function checkFFIPermission() {
-  if (!permission.isEnabled() || permission.has('ffi')) {
+  if (!permission.isEnabled()) {
+    return;
+  }
+
+  if (permission.has('ffi') || permission.isAuditMode()) {
     return;
   }
 
diff --git a/lib/internal/process/permission.js b/lib/internal/process/permission.js
@@ -11,17 +11,25 @@ const { Buffer } = require('buffer');
 const { isBuffer } = Buffer;
 
 let _permission;
+let _audit;
 let _ffi;
 
 module.exports = ObjectFreeze({
   __proto__: null,
   isEnabled() {
     if (_permission === undefined) {
       const { getOptionValue } = require('internal/options');
-      _permission = getOptionValue('--permission');
+      _permission = getOptionValue('--permission') || getOptionValue('--permission-audit');
     }
     return _permission;
   },
+  isAuditMode() {
+    if (_audit === undefined) {
+      const { getOptionValue } = require('internal/options');
+      _audit = getOptionValue('--permission-audit');
+    }
+    return _audit;
+  },
   has(scope, reference) {
     validateString(scope, 'scope');
     if (reference != null) {
diff --git a/test/parallel/test-permission-audit-child-process-inherit-flags.js b/test/parallel/test-permission-audit-child-process-inherit-flags.js
@@ -0,0 +1,94 @@
+// Flags: --permission-audit --allow-child-process --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+if (process.config.variables.node_without_node_options) {
+  common.skip('missing NODE_OPTIONS support');
+}
+
+const assert = require('assert');
+const childProcess = require('child_process');
+
+// Verify that the parent is running in audit mode
+assert.strictEqual(typeof process.permission.has, 'function');
+
+{
+  assert.strictEqual(process.env.NODE_OPTIONS, undefined);
+}
+
+// Child should inherit --permission-audit and the allow-flags via NODE_OPTIONS
+{
+  const { status, stdout, stderr } = childProcess.spawnSync(process.execPath,
+    [
+      '-e',
+      `
+      console.log(typeof process.permission);
+      console.log(process.permission.has("fs.write"));
+      console.log(process.permission.has("fs.read"));
+      console.log(process.permission.has("child"));
+      `,
+    ]
+  );
+  assert.strictEqual(status, 0, `stderr: ${stderr}`);
+  const [permType, fsWrite, fsRead, child] = stdout.toString().split('\n');
+  assert.strictEqual(permType, 'object', 'child should have process.permission defined');
+  assert.strictEqual(fsWrite, 'true');
+  assert.strictEqual(fsRead, 'true');
+  assert.strictEqual(child, 'true');
+}
+
+// Child spawned with explicit --permission should use its own flags, not inherit parent's
+{
+  const { status, stdout, stderr } = childProcess.spawnSync(
+    process.execPath,
+    [
+      '--permission',
+      '--allow-fs-write=*',
+      '-e',
+      `
+      console.log(typeof process.permission);
+      console.log(process.permission.has("fs.write"));
+      console.log(process.permission.has("fs.read"));
+      console.log(process.permission.has("child"));
+      `,
+    ]
+  );
+  assert.strictEqual(status, 0, `stderr: ${stderr}`);
+  const [permType, fsWrite, fsRead, child] = stdout.toString().split('\n');
+  assert.strictEqual(permType, 'object');
+  assert.strictEqual(fsWrite, 'true');
+  assert.strictEqual(fsRead, 'false');
+  assert.strictEqual(child, 'false');
+}
+
+// Child spawned with explicit --permission-audit should use its own flags
+{
+  const { status, stdout, stderr } = childProcess.spawnSync(
+    process.execPath,
+    [
+      '--permission-audit',
+      '--allow-fs-write=*',
+      '-e',
+      `
+      console.log(typeof process.permission);
+      console.log(process.permission.has("fs.write"));
+      console.log(process.permission.has("fs.read"));
+      `,
+    ]
+  );
+  assert.strictEqual(status, 0, `stderr: ${stderr}`);
+  const [permType, fsWrite, fsRead] = stdout.toString().split('\n');
+  assert.strictEqual(permType, 'object');
+  assert.strictEqual(fsWrite, 'true');
+  // fs.read was not allowed in the explicit child flags
+  assert.strictEqual(fsRead, 'false');
+}
+
+{
+  assert.strictEqual(process.env.NODE_OPTIONS, undefined);
+}

Original file line number	Diff line number	Diff line change
`@@ -549,7 +549,8 @@ function getPermissionModelFlagsToCopy() {`
`549`	`549`
`550`	`550`	`function copyPermissionModelFlagsToEnv(env, key, args) {`
`551`	`551`	`// Do not override if permission was already passed to file`
`552`		`- if (args.includes('--permission') \|\| (env[key] && env[key].indexOf('--permission') !== -1)) {`
	`552`	`+ if (args.includes('--permission') \|\| args.includes('--permission-audit') \|\|`
	`553`	`+ (env[key] && env[key].indexOf('--permission') !== -1)) {`
`553`	`554`	`return;`
`554`	`555`	`}`
`555`	`556`