permission: update documentation and tests for --allow-env flag behavior

Signed-off-by: nabeel378 <[email protected]>

Author: nabeel378

doc/api/cli.md

@@ -193,18 +193,16 @@ directly through the process arguments.
 
 ### `--allow-env`
 
+<!-- YAML
+added: REPLACEME
+-->
+
 > Stability: 1.1 - Active development
 
 When using the [Permission Model][], access to environment variables is
-unrestricted by default. To restrict access, the `--allow-env` flag must be
-explicitly passed when starting Node.js. Once `--allow-env` is specified,
-only the listed environment variables are accessible.
-
-* Reading a restricted variable (`process.env.HOME`) silently returns
-  `undefined`.
-* Writing (`process.env.FOO = 'bar'`) or deleting (`delete process.env.FOO`)
-  a restricted variable throws `ERR_ACCESS_DENIED`.
-* Enumerating (`Object.keys(process.env)`) only returns allowed variables.
+restricted by default. Reading a restricted variable silently returns
+`undefined`, while writing or deleting throws `ERR_ACCESS_DENIED`.
+Enumerating (`Object.keys(process.env)`) only returns allowed variables.
 
 The valid arguments for the `--allow-env` flag are:
 
@@ -216,17 +214,24 @@ Examples:
 
 ```console
 $ node --permission --allow-fs-read=* -p 'process.env.HOME'
-/Users/user
-$ node --permission --allow-env=PATH --allow-fs-read=* -p 'process.env.HOME'
 undefined
 $ node --permission --allow-env=HOME --allow-fs-read=* -p 'process.env.HOME'
 /Users/user
+$ node --permission --allow-env=* --allow-fs-read=* -p 'process.env.HOME'
+/Users/user
+```
+
+Environment variable permissions can be checked programmatically:
+
+```js
+process.permission.has('env'); // true if any env access is allowed
+process.permission.has('env', 'HOME'); // true if HOME is allowed
 ```
 
 Attempting to write a restricted variable throws:
 
 ```console
-$ node --permission --allow-env=HOME --allow-fs-read=* -e "process.env.FOO = 'bar'"
+$ node --permission --allow-fs-read=* -e "process.env.FOO = 'bar'"
 node:internal/process/per_thread:12
   throw new ERR_ACCESS_DENIED('EnvVar', name);
   ^

doc/api/process.md

@@ -1560,12 +1560,11 @@ The `process.env` property returns an object containing the user environment.
 See environ(7).
 
 When the [Permission Model][] is enabled, access to environment variables is
-unrestricted by default. To restrict access, the `--allow-env` flag must be
-explicitly passed. Once `--allow-env` is specified, reading a restricted
-variable silently returns `undefined`, while writing or deleting throws
-`ERR_ACCESS_DENIED`. Use `--allow-env=*` to grant access to all variables or
-`--allow-env=HOME,PATH` to grant access to specific ones. See the
-[`--allow-env`][] documentation for more details.
+restricted by default. Reading a restricted variable silently returns
+`undefined`, while writing or deleting throws `ERR_ACCESS_DENIED`. Use
+`--allow-env=*` to grant access to all variables or `--allow-env=HOME,PATH`
+to grant access to specific ones. See the [`--allow-env`][] documentation
+for more details.
 
 An example of this object looks like:
 
@@ -3197,6 +3196,7 @@ The available scopes are:
 * `fs.write` - File System write operations
 * `child` - Child process spawning operations
 * `worker` - Worker thread spawning operation
+* `env` - Environment variable operations
 * `ffi` - Foreign function interface operations
 
 ```js

src/env.cc

@@ -949,7 +949,9 @@ Environment::Environment(IsolateData* isolate_data,
       permission()->Apply(this, {"*"}, permission::PermissionScope::kWASI);
     }
 
-    if (!options_->allow_env.empty()) {
+    if (options_->allow_env.empty()) {
+      permission()->Apply(this, {}, permission::PermissionScope::kEnvVar);
+    } else {
       permission()->Apply(
           this, options_->allow_env, permission::PermissionScope::kEnvVar);
     }

test/parallel/test-permission-child-process-inherit-flags.js

@@ -1,4 +1,4 @@
-// Flags: --permission --allow-child-process --allow-fs-read=* --allow-worker
+// Flags: --permission --allow-child-process --allow-fs-read=* --allow-worker --allow-env=*
 'use strict';
 
 const common = require('../common');

test/parallel/test-permission-env-deny-all.js

@@ -1,4 +1,4 @@
-// Flags: --permission --allow-fs-read=* --allow-child-process
+// Flags: --permission --allow-fs-read=*
 'use strict';
 
 const common = require('../common');
@@ -10,46 +10,31 @@ if (!isMainThread) {
 
 const assert = require('assert');
 
-// When --permission is used without --allow-env, env vars should be
-// freely accessible (backward compatible behavior).
+// When --permission is used without --allow-env, all env vars should be denied
+// (deny-by-default, consistent with other permission flags).
 {
-  assert.ok(process.permission.has('env'));
+  assert.ok(!process.permission.has('env'));
 }
 
 {
-  // Environment variables should be readable
-  assert.ok(typeof process.env.HOME === 'string' || process.env.HOME === undefined);
+  // Reading a denied variable should silently return undefined
+  assert.strictEqual(process.env.HOME, undefined);
+  assert.strictEqual(process.env.PATH, undefined);
 }
 
 {
-  // Setting env vars should work
-  process.env.__TEST_PERMISSION_ENV = 'test';
-  assert.strictEqual(process.env.__TEST_PERMISSION_ENV, 'test');
-  delete process.env.__TEST_PERMISSION_ENV;
+  // Writing a denied variable should throw
+  assert.throws(() => { process.env.__TEST_PERMISSION_ENV = 'test'; },
+                { code: 'ERR_ACCESS_DENIED' });
 }
 
 {
-  // Object.keys should return env vars
-  const keys = Object.keys(process.env);
-  assert.ok(keys.length > 0);
+  // Deleting a denied variable should throw
+  assert.throws(() => { delete process.env.__TEST_PERMISSION_ENV; },
+                { code: 'ERR_ACCESS_DENIED' });
 }
 
-// Test that restriction activates when --allow-env is explicitly used
 {
-  const { spawnSync } = require('child_process');
-  const { status, stderr } = spawnSync(process.execPath, [
-    '--permission',
-    '--allow-fs-read=*',
-    '--allow-env=__NONEXISTENT_VAR__',
-    '-e',
-    `
-    const assert = require('assert');
-    assert.ok(!process.permission.has('env'));
-    assert.strictEqual(process.env.HOME, undefined);
-    assert.strictEqual(process.env.PATH, undefined);
-    assert.throws(() => { process.env.X = '1'; }, { code: 'ERR_ACCESS_DENIED' });
-    assert.strictEqual(Object.keys(process.env).length, 0);
-    `,
-  ]);
-  assert.strictEqual(status, 0, `child stderr: ${stderr}`);
+  // Enumerating should return empty
+  assert.strictEqual(Object.keys(process.env).length, 0);
 }

test/parallel/test-permission-fs-read.js

@@ -1,4 +1,4 @@
-// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process
+// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process --allow-env=*
 'use strict';
 
 const common = require('../common');
@@ -36,6 +36,7 @@ const commonPath = path.join(__filename, '../../common');
       // Do not uncomment this line
       // `--allow-fs-read=${file}`,
       `--allow-fs-read=${commonPathWildcard}`,
+      '--allow-env=*',
       file,
     ],
     {

test/parallel/test-permission-fs-symlink-target-write.js

@@ -1,4 +1,4 @@
-// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process
+// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process --allow-env=*
 'use strict';
 
 const common = require('../common');
@@ -44,6 +44,7 @@ fs.writeFileSync(path.join(readWriteFolder, 'file'), 'NO evil file contents');
       '--permission',
       `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, `--allow-fs-read=${readOnlyFolder}`, `--allow-fs-read=${readWriteFolder}`,
       `--allow-fs-write=${readWriteFolder}`, `--allow-fs-write=${writeOnlyFolder}`,
+      '--allow-env=*',
       file,
     ],
     {

test/parallel/test-permission-fs-symlink.js

@@ -1,4 +1,4 @@
-// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process
+// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process --allow-env=*
 'use strict';
 
 const common = require('../common');
@@ -57,6 +57,7 @@ const traversalSymlink = path.join(allowedFolder, 'deep1', 'deep2', 'deep3', 'go
       `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, `--allow-fs-read=${symlinkFromBlockedFile}`,
       `--allow-fs-read=${allowedFolder}`,
       `--allow-fs-write=${symlinkFromBlockedFile}`,
+      '--allow-env=*',
       file,
     ],
     {

test/parallel/test-permission-fs-traversal-path.js

@@ -1,4 +1,4 @@
-// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process
+// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process --allow-env=*
 'use strict';
 
 const common = require('../common');
@@ -40,6 +40,7 @@ const commonPathWildcard = path.join(__filename, '../../common*');
       '--permission',
       `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, `--allow-fs-read=${allowedFolder}`,
       `--allow-fs-write=${allowedFolder}`,
+      '--allow-env=*',
       file,
     ],
     {

test/parallel/test-permission-fs-write.js

@@ -1,4 +1,4 @@
-// Flags: --permission --allow-fs-read=* --allow-child-process
+// Flags: --permission --allow-fs-read=* --allow-child-process --allow-env=*
 'use strict';
 
 const common = require('../common');
@@ -33,6 +33,7 @@ const file = fixtures.path('permission', 'fs-write.js');
       '--permission',
       '--allow-fs-read=*',
       `--allow-fs-write=${regularFile}`, `--allow-fs-write=${commonPath}`,
+      '--allow-env=*',
       file,
     ],
     {