permission,doc: fix --allow-env docs and expand test coverage

nabeel378 · nabeel378 · commit c54086a44cd9 · 2026-04-19T17:06:20.000+05:00
Signed-off-by: nabeel378 &lt;mohammadnabeeljameel@gmail.com&gt;
diff --git a/doc/api/cli.md b/doc/api/cli.md
@@ -218,7 +218,7 @@ process.env.FOO = 'bar';       // ERR_ACCESS_DENIED (throws)
 ```
 
 ```console
-$ node --permission --allow-fs-read=* index.js
+$ node --permission index.js
 node:internal/process/per_thread:12
   throw new ERR_ACCESS_DENIED('EnvVar', name);
   ^
diff --git a/src/permission/permission.cc b/src/permission/permission.cc
@@ -143,6 +143,8 @@ Permission::Permission() : enabled_(false), warning_only_(false) {
 #define V(Name, _, __, ___)                                                    \
   nodes_.insert(std::make_pair(PermissionScope::k##Name, ffi));
   FFI_PERMISSIONS(V)
+#undef V
+#define V(Name, _, __, ___)                                                    \
   nodes_.insert(std::make_pair(PermissionScope::k##Name, env_var));
   ENV_VAR_PERMISSIONS(V)
 #undef V
diff --git a/test/parallel/test-permission-env-cli.js b/test/parallel/test-permission-env-cli.js
@@ -10,26 +10,21 @@ if (!isMainThread) {
 
 const assert = require('assert');
 
-// Guarantee the initial state
 {
   assert.ok(!process.permission.has('env'));
 }
 
-// Allowed env vars should be accessible
 {
-  // Reading allowed env vars should not throw
   const home = process.env.HOME;
   const path = process.env.PATH;
   assert.ok(process.permission.has('env', 'HOME'));
   assert.ok(process.permission.has('env', 'PATH'));
 }
 
-// Disallowed env vars should return undefined (silently denied)
 {
   assert.strictEqual(process.env.SECRET_KEY, undefined);
 }
 
-// Setting a disallowed env var should throw
 {
   assert.throws(() => {
     process.env.NEW_VAR = 'value';
@@ -40,7 +35,6 @@ const assert = require('assert');
   }));
 }
 
-// Deleting a disallowed env var should throw
 {
   assert.throws(() => {
     delete process.env.SECRET_KEY;
@@ -51,12 +45,10 @@ const assert = require('assert');
   }));
 }
 
-// Querying a disallowed env var should return false (not found)
 {
   assert.strictEqual('SECRET_KEY' in process.env, false);
 }
 
-// Enumerating should only return allowed env vars
 {
   const keys = Object.keys(process.env);
   for (const key of keys) {
@@ -66,3 +58,38 @@ const assert = require('assert');
     );
   }
 }
+
+{
+  const keys = [];
+  for (const key in process.env) {
+    keys.push(key);
+  }
+  for (const key of keys) {
+    assert.ok(
+      key === 'HOME' || key === 'PATH',
+      `Unexpected env var in for...in: ${key}`
+    );
+  }
+}
+
+{
+  const copy = Object.assign({}, process.env);
+  const keys = Object.keys(copy);
+  for (const key of keys) {
+    assert.ok(
+      key === 'HOME' || key === 'PATH',
+      `Unexpected env var in Object.assign: ${key}`
+    );
+  }
+}
+
+{
+  const parsed = JSON.parse(JSON.stringify(process.env));
+  const keys = Object.keys(parsed);
+  for (const key of keys) {
+    assert.ok(
+      key === 'HOME' || key === 'PATH',
+      `Unexpected env var in JSON.stringify: ${key}`
+    );
+  }
+}
diff --git a/test/parallel/test-permission-env-deny-all.js b/test/parallel/test-permission-env-deny-all.js
@@ -10,18 +10,15 @@ if (!isMainThread) {
 
 const assert = require('assert');
 
-// When --permission is set without --allow-env, all env access is denied
 {
   assert.ok(!process.permission.has('env'));
 }
 
-// Reading any env var should return undefined (silently denied)
 {
   assert.strictEqual(process.env.HOME, undefined);
   assert.strictEqual(process.env.PATH, undefined);
 }
 
-// Setting any env var should throw
 {
   assert.throws(() => {
     process.env.TEST_VAR = 'value';
@@ -31,7 +28,6 @@ const assert = require('assert');
   }));
 }
 
-// Enumerating should return empty
 {
   const keys = Object.keys(process.env);
   assert.strictEqual(keys.length, 0);

Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,7 @@ process.env.FOO = 'bar'; // ERR_ACCESS_DENIED (throws)`
`218`	`218`	```
`219`	`219`
`220`	`220`	```console
`221`		`-$ node --permission --allow-fs-read=* index.js`
	`221`	`+$ node --permission index.js`
`222`	`222`	`node:internal/process/per_thread:12`
`223`	`223`	`throw new ERR_ACCESS_DENIED('EnvVar', name);`
`224`	`224`	`^`
Original file line number	Diff line number	Diff line change
`@@ -10,26 +10,21 @@ if (!isMainThread) {`
`10`	`10`
`11`	`11`	`const assert = require('assert');`
`12`	`12`
`13`		`-// Guarantee the initial state`
`14`	`13`	`{`
`15`	`14`	`assert.ok(!process.permission.has('env'));`
`16`	`15`	`}`
`17`	`16`
`18`		`-// Allowed env vars should be accessible`
`19`	`17`	`{`
`20`		`- // Reading allowed env vars should not throw`
`21`	`18`	`const home = process.env.HOME;`
`22`	`19`	`const path = process.env.PATH;`
`23`	`20`	`assert.ok(process.permission.has('env', 'HOME'));`
`24`	`21`	`assert.ok(process.permission.has('env', 'PATH'));`
`25`	`22`	`}`
`26`	`23`
`27`		`-// Disallowed env vars should return undefined (silently denied)`
`28`	`24`	`{`
`29`	`25`	`assert.strictEqual(process.env.SECRET_KEY, undefined);`
`30`	`26`	`}`
`31`	`27`
`32`		`-// Setting a disallowed env var should throw`
`33`	`28`	`{`
`34`	`29`	`assert.throws(() => {`
`35`	`30`	`process.env.NEW_VAR = 'value';`
`@@ -40,7 +35,6 @@ const assert = require('assert');`
`40`	`35`	`}));`
`41`	`36`	`}`
`42`	`37`
`43`		`-// Deleting a disallowed env var should throw`
`44`	`38`	`{`
`45`	`39`	`assert.throws(() => {`
`46`	`40`	`delete process.env.SECRET_KEY;`
`@@ -51,12 +45,10 @@ const assert = require('assert');`
`51`	`45`	`}));`
`52`	`46`	`}`
`53`	`47`
`54`		`-// Querying a disallowed env var should return false (not found)`
`55`	`48`	`{`
`56`	`49`	`assert.strictEqual('SECRET_KEY' in process.env, false);`
`57`	`50`	`}`
`58`	`51`
`59`		`-// Enumerating should only return allowed env vars`
`60`	`52`	`{`
`61`	`53`	`const keys = Object.keys(process.env);`
`62`	`54`	`for (const key of keys) {`
`@@ -66,3 +58,38 @@ const assert = require('assert');`
`66`	`58`	`);`
`67`	`59`	`}`
`68`	`60`	`}`
	`61`	`+`
	`62`	`+{`
	`63`	`+ const keys = [];`
	`64`	`+ for (const key in process.env) {`
	`65`	`+ keys.push(key);`
	`66`	`+ }`
	`67`	`+ for (const key of keys) {`
	`68`	`+ assert.ok(`
	`69`	`+ key === 'HOME' \|\| key === 'PATH',`
	`70`	+ `Unexpected env var in for...in: ${key}`
	`71`	`+ );`
	`72`	`+ }`
	`73`	`+}`
	`74`	`+`
	`75`	`+{`
	`76`	`+ const copy = Object.assign({}, process.env);`
	`77`	`+ const keys = Object.keys(copy);`
	`78`	`+ for (const key of keys) {`
	`79`	`+ assert.ok(`
	`80`	`+ key === 'HOME' \|\| key === 'PATH',`
	`81`	+ `Unexpected env var in Object.assign: ${key}`
	`82`	`+ );`
	`83`	`+ }`
	`84`	`+}`
	`85`	`+`
	`86`	`+{`
	`87`	`+ const parsed = JSON.parse(JSON.stringify(process.env));`
	`88`	`+ const keys = Object.keys(parsed);`
	`89`	`+ for (const key of keys) {`
	`90`	`+ assert.ok(`
	`91`	`+ key === 'HOME' \|\| key === 'PATH',`
	`92`	+ `Unexpected env var in JSON.stringify: ${key}`
	`93`	`+ );`
	`94`	`+ }`
	`95`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -10,18 +10,15 @@ if (!isMainThread) {`
`10`	`10`
`11`	`11`	`const assert = require('assert');`
`12`	`12`
`13`		`-// When --permission is set without --allow-env, all env access is denied`
`14`	`13`	`{`
`15`	`14`	`assert.ok(!process.permission.has('env'));`
`16`	`15`	`}`
`17`	`16`
`18`		`-// Reading any env var should return undefined (silently denied)`
`19`	`17`	`{`
`20`	`18`	`assert.strictEqual(process.env.HOME, undefined);`
`21`	`19`	`assert.strictEqual(process.env.PATH, undefined);`
`22`	`20`	`}`
`23`	`21`
`24`		`-// Setting any env var should throw`
`25`	`22`	`{`
`26`	`23`	`assert.throws(() => {`
`27`	`24`	`process.env.TEST_VAR = 'value';`
`@@ -31,7 +28,6 @@ const assert = require('assert');`
`31`	`28`	`}));`
`32`	`29`	`}`
`33`	`30`
`34`		`-// Enumerating should return empty`
`35`	`31`	`{`
`36`	`32`	`const keys = Object.keys(process.env);`
`37`	`33`	`assert.strictEqual(keys.length, 0);`