diff --git a/benchmark/fs/readfile-permission-enabled.js b/benchmark/fs/readfile-permission-enabled.js index 46f20be6a0b06e..c688e9eecb0e00 100644 --- a/benchmark/fs/readfile-permission-enabled.js +++ b/benchmark/fs/readfile-permission-enabled.js @@ -17,7 +17,7 @@ const bench = common.createBenchmark(main, { concurrent: [1, 10], }, { flags: [ - '--experimental-permission', + '--permission', '--allow-fs-read=*', '--allow-fs-write=*', '--allow-child-process', diff --git a/benchmark/permission/permission-processhas-fs-read.js b/benchmark/permission/permission-processhas-fs-read.js index c2c90636aa1f62..ea06aed4bc27a9 100644 --- a/benchmark/permission/permission-processhas-fs-read.js +++ b/benchmark/permission/permission-processhas-fs-read.js @@ -11,7 +11,7 @@ const rootPath = path.resolve(__dirname, '../../..'); const options = { flags: [ - '--experimental-permission', + '--permission', `--allow-fs-read=${rootPath}`, '--allow-child-process', '--no-warnings', diff --git a/benchmark/permission/permission-startup.js b/benchmark/permission/permission-startup.js index 08326909aa4e41..6a197cdff56111 100644 --- a/benchmark/permission/permission-startup.js +++ b/benchmark/permission/permission-startup.js @@ -48,7 +48,7 @@ function spawnProcess(script, bench, state) { function main({ count, script, nFiles, prefixPath }) { script = path.resolve(__dirname, '../../', `${script}.js`); const optionsWithScript = [ - '--experimental-permission', + '--permission', `--allow-fs-read=${script}`, ...mockFiles(nFiles, prefixPath).map((file) => '--allow-fs-read=' + file), script, diff --git a/doc/api/cli.md b/doc/api/cli.md index 7d22f746860b89..faade390886e9b 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -123,7 +123,7 @@ require('nodejs-addon-example'); ``` ```console -$ node --experimental-permission --allow-fs-read=* index.js +$ node --permission --allow-fs-read=* index.js node:internal/modules/cjs/loader:1319 return process.dlopen(module, path.toNamespacedPath(filename)); ^ @@ -165,7 +165,7 @@ childProcess.spawn('node', ['-e', 'require("fs").writeFileSync("/new-file", "exa ``` ```console -$ node --experimental-permission --allow-fs-read=* index.js +$ node --permission --allow-fs-read=* index.js node:internal/child_process:388 const err = this._handle.spawn(options); ^ @@ -189,12 +189,15 @@ Error: Access to this API has been restricted -> Stability: 1.1 - Active development +> Stability: 2 - Stable. This flag configures file system read permissions using the [Permission Model][]. @@ -210,7 +213,7 @@ Examples can be found in the [File System Permissions][] documentation. The initializer module also needs to be allowed. Consider the following example: ```console -$ node --experimental-permission index.js +$ node --permission index.js Error: Access to this API has been restricted at node:internal/main/run_main_module:23:47 { @@ -223,7 +226,7 @@ Error: Access to this API has been restricted The process needs to have access to the `index.js` module: ```bash -node --experimental-permission --allow-fs-read=/path/to/index.js index.js +node --permission --allow-fs-read=/path/to/index.js index.js ``` ### `--allow-fs-write` @@ -231,12 +234,15 @@ node --experimental-permission --allow-fs-read=/path/to/index.js index.js -> Stability: 1.1 - Active development +> Stability: 2 - Stable. This flag configures file system write permissions using the [Permission Model][]. @@ -282,7 +288,7 @@ new WASI({ ``` ```console -$ node --experimental-permission --allow-fs-read=* index.js +$ node --permission --allow-fs-read=* index.js Error: Access to this API has been restricted at node:internal/main/run_main_module:30:49 { @@ -313,7 +319,7 @@ new Worker(__filename); ``` ```console -$ node --experimental-permission --allow-fs-read=* index.js +$ node --permission --allow-fs-read=* index.js Error: Access to this API has been restricted at node:internal/main/run_main_module:17:47 { @@ -949,24 +955,6 @@ added: Enable experimental support for the network inspection with Chrome DevTools. -### `--experimental-permission` - - - -> Stability: 1.1 - Active development - -Enable the Permission Model for current process. When enabled, the -following permissions are restricted: - -* File System - manageable through - [`--allow-fs-read`][], [`--allow-fs-write`][] flags -* Child Process - manageable through [`--allow-child-process`][] flag -* Worker Threads - manageable through [`--allow-worker`][] flag -* WASI - manageable through [`--allow-wasi`][] flag -* Addons - manageable through [`--allow-addons`][] flag - ### `--experimental-print-required-tla` + +> Stability: 2 - Stable. + +Enable the Permission Model for current process. When enabled, the +following permissions are restricted: + +* File System - manageable through + [`--allow-fs-read`][], [`--allow-fs-write`][] flags +* Child Process - manageable through [`--allow-child-process`][] flag +* Worker Threads - manageable through [`--allow-worker`][] flag +* WASI - manageable through [`--allow-wasi`][] flag +* Addons - manageable through [`--allow-addons`][] flag + ### `--preserve-symlinks` -> Stability: 1.1 - Active development +> Stability: 2 - Stable. The Node.js Permission Model is a mechanism for restricting access to specific resources during execution. -The API exists behind a flag [`--experimental-permission`][] which when enabled, +The API exists behind a flag [`--permission`][] which when enabled, will restrict access to all available permissions. -The available permissions are documented by the [`--experimental-permission`][] +The available permissions are documented by the [`--permission`][] flag. -When starting Node.js with `--experimental-permission`, +When starting Node.js with `--permission`, the ability to access the file system through the `fs` module, spawn processes, use `node:worker_threads`, use native addons, use WASI, and enable the runtime inspector will be restricted. ```console -$ node --experimental-permission index.js +$ node --permission index.js Error: Access to this API has been restricted at node:internal/main/run_main_module:23:47 { @@ -64,7 +64,7 @@ flag. For WASI, use the [`--allow-wasi`][] flag. #### Runtime API -When enabling the Permission Model through the [`--experimental-permission`][] +When enabling the Permission Model through the [`--permission`][] flag a new property `permission` is added to the `process` object. This property contains one function: @@ -90,10 +90,8 @@ To allow access to the file system, use the [`--allow-fs-read`][] and [`--allow-fs-write`][] flags: ```console -$ node --experimental-permission --allow-fs-read=* --allow-fs-write=* index.js +$ node --permission --allow-fs-read=* --allow-fs-write=* index.js Hello world! -(node:19836) ExperimentalWarning: Permission is an experimental feature -(Use `node --trace-warnings ...` to show where the warning was created) ``` The valid arguments for both flags are: @@ -167,5 +165,5 @@ There are constraints you need to know before using this system: [`--allow-fs-write`]: cli.md#--allow-fs-write [`--allow-wasi`]: cli.md#--allow-wasi [`--allow-worker`]: cli.md#--allow-worker -[`--experimental-permission`]: cli.md#--experimental-permission +[`--permission`]: cli.md#--permission [`permission.has()`]: process.md#processpermissionhasscope-reference diff --git a/doc/api/process.md b/doc/api/process.md index 5bf05b1d909860..379694b95d8472 100644 --- a/doc/api/process.md +++ b/doc/api/process.md @@ -3103,7 +3103,7 @@ added: v20.0.0 * {Object} -This API is available through the [`--experimental-permission`][] flag. +This API is available through the [`--permission`][] flag. `process.permission` is an object whose methods are used to manage permissions for the current process. Additional documentation is available in the @@ -4440,8 +4440,8 @@ cases: [`'exit'`]: #event-exit [`'message'`]: child_process.md#event-message [`'uncaughtException'`]: #event-uncaughtexception -[`--experimental-permission`]: cli.md#--experimental-permission [`--no-deprecation`]: cli.md#--no-deprecation +[`--permission`]: cli.md#--permission [`--unhandled-rejections`]: cli.md#--unhandled-rejectionsmode [`Buffer`]: buffer.md [`ChildProcess.disconnect()`]: child_process.md#subprocessdisconnect diff --git a/doc/node.1 b/doc/node.1 index e38ce7f0431e62..2692c1848de359 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -171,8 +171,8 @@ Specify the .Ar module to use as a custom module loader. . -.It Fl -experimental-permission -Enable the experimental permission model. +.It Fl -permission +Enable the permission model. . .It Fl -experimental-shadow-realm Use this flag to enable ShadowRealm support. diff --git a/lib/internal/process/permission.js b/lib/internal/process/permission.js index 7a6dd80d1d01f3..bfdfe29fe4739f 100644 --- a/lib/internal/process/permission.js +++ b/lib/internal/process/permission.js @@ -9,16 +9,16 @@ const { validateString, validateBuffer } = require('internal/validators'); const { Buffer } = require('buffer'); const { isBuffer } = Buffer; -let experimentalPermission; +let _permission; module.exports = ObjectFreeze({ __proto__: null, isEnabled() { - if (experimentalPermission === undefined) { + if (_permission === undefined) { const { getOptionValue } = require('internal/options'); - experimentalPermission = getOptionValue('--experimental-permission'); + _permission = getOptionValue('--permission'); } - return experimentalPermission; + return _permission; }, has(scope, reference) { validateString(scope, 'scope'); diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js index 41ebf85900b100..b3aba59674b82b 100644 --- a/lib/internal/process/pre_execution.js +++ b/lib/internal/process/pre_execution.js @@ -520,14 +520,13 @@ function initializeClusterIPC() { } function initializePermission() { - const experimentalPermission = getOptionValue('--experimental-permission'); - if (experimentalPermission) { + const permission = getOptionValue('--permission'); + if (permission) { process.binding = function binding(_module) { throw new ERR_ACCESS_DENIED('process.binding'); }; // Guarantee path module isn't monkey-patched to bypass permission model ObjectFreeze(require('path')); - emitExperimentalWarning('Permission'); const { has } = require('internal/process/permission'); const warnFlags = [ '--allow-addons', @@ -579,7 +578,7 @@ function initializePermission() { ArrayPrototypeForEach(availablePermissionFlags, (flag) => { const value = getOptionValue(flag); if (value.length) { - throw new ERR_MISSING_OPTION('--experimental-permission'); + throw new ERR_MISSING_OPTION('--permission'); } }); } diff --git a/src/env.cc b/src/env.cc index 8842f69e9bf58f..d4426432d67ba6 100644 --- a/src/env.cc +++ b/src/env.cc @@ -920,7 +920,7 @@ Environment::Environment(IsolateData* isolate_data, std::move(traced_value)); } - if (options_->experimental_permission) { + if (options_->permission) { permission()->EnablePermissions(); // The process shouldn't be able to neither // spawn/worker nor use addons or enable inspector diff --git a/src/node_options.cc b/src/node_options.cc index 83ee298acfad00..5c24a48411123d 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -456,11 +456,12 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { "experimental ES Module import.meta.resolve() parentURL support", &EnvironmentOptions::experimental_import_meta_resolve, kAllowedInEnvvar); - AddOption("--experimental-permission", + AddOption("--permission", "enable the permission system", - &EnvironmentOptions::experimental_permission, + &EnvironmentOptions::permission, kAllowedInEnvvar, false); + AddAlias("--experimental-permission", "--permission"); AddOption("--allow-fs-read", "allow permissions to read the filesystem", &EnvironmentOptions::allow_fs_read, diff --git a/src/node_options.h b/src/node_options.h index c0a8cb29f90627..24ad821837934f 100644 --- a/src/node_options.h +++ b/src/node_options.h @@ -132,7 +132,7 @@ class EnvironmentOptions : public Options { bool experimental_import_meta_resolve = false; std::string input_type; // Value of --input-type bool entry_is_url = false; - bool experimental_permission = false; + bool permission = false; std::vector allow_fs_read; std::vector allow_fs_write; bool allow_addons = false; diff --git a/test/addons/no-addons/permission.js b/test/addons/no-addons/permission.js index 0fbcd2bb1ee782..1d1bbf6e95468e 100644 --- a/test/addons/no-addons/permission.js +++ b/test/addons/no-addons/permission.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --permission --allow-fs-read=* 'use strict'; diff --git a/test/es-module/test-cjs-legacyMainResolve-permission.js b/test/es-module/test-cjs-legacyMainResolve-permission.js index 392bfb753d7764..fcebc22ccf2929 100644 --- a/test/es-module/test-cjs-legacyMainResolve-permission.js +++ b/test/es-module/test-cjs-legacyMainResolve-permission.js @@ -1,6 +1,6 @@ 'use strict'; -// Flags: --expose-internals --experimental-permission --allow-fs-read=* --allow-child-process +// Flags: --expose-internals --permission --allow-fs-read=* --allow-child-process require('../common'); @@ -40,7 +40,7 @@ describe('legacyMainResolve', () => { process.execPath, [ '--expose-internals', - '--experimental-permission', + '--permission', ...allowReadFiles, '-e', ` @@ -98,7 +98,7 @@ describe('legacyMainResolve', () => { process.execPath, [ '--expose-internals', - '--experimental-permission', + '--permission', ...allowReadFiles, '-e', ` diff --git a/test/es-module/test-esm-loader-hooks.mjs b/test/es-module/test-esm-loader-hooks.mjs index 4a4d15648a79b5..ed5c27cbc4b84f 100644 --- a/test/es-module/test-esm-loader-hooks.mjs +++ b/test/es-module/test-esm-loader-hooks.mjs @@ -182,7 +182,7 @@ describe('Loader hooks', { concurrency: !process.env.TEST_PARALLEL }, () => { it('should work without worker permission', async () => { const { code, signal, stdout, stderr } = await spawnPromisified(execPath, [ '--no-warnings', - '--experimental-permission', + '--permission', '--allow-fs-read', '*', '--experimental-loader', @@ -199,7 +199,7 @@ describe('Loader hooks', { concurrency: !process.env.TEST_PARALLEL }, () => { it('should allow loader hooks to spawn workers when allowed by the CLI flags', async () => { const { code, signal, stdout, stderr } = await spawnPromisified(execPath, [ '--no-warnings', - '--experimental-permission', + '--permission', '--allow-worker', '--allow-fs-read', '*', @@ -217,7 +217,7 @@ describe('Loader hooks', { concurrency: !process.env.TEST_PARALLEL }, () => { it('should not allow loader hooks to spawn workers if restricted by the CLI flags', async () => { const { code, signal, stdout, stderr } = await spawnPromisified(execPath, [ '--no-warnings', - '--experimental-permission', + '--permission', '--allow-fs-read', '*', '--experimental-loader', diff --git a/test/fixtures/dotenv/node-options.env b/test/fixtures/dotenv/node-options.env index f74ac01bc28de7..bd3be820f64e2b 100644 --- a/test/fixtures/dotenv/node-options.env +++ b/test/fixtures/dotenv/node-options.env @@ -1,6 +1,6 @@ CUSTOM_VARIABLE=hello-world NODE_NO_WARNINGS=1 -NODE_OPTIONS="--experimental-permission --allow-fs-read=*" +NODE_OPTIONS="--permission --allow-fs-read=*" TZ=Pacific/Honolulu UV_THREADPOOL_SIZE=5 BASIC=overridden diff --git a/test/parallel/test-cli-bad-options.js b/test/parallel/test-cli-bad-options.js index 8a77e94babb4fa..6868541325302d 100644 --- a/test/parallel/test-cli-bad-options.js +++ b/test/parallel/test-cli-bad-options.js @@ -14,8 +14,8 @@ if (process.features.inspector) { } requiresArgument('--eval'); -missingOption('--allow-fs-read=*', '--experimental-permission'); -missingOption('--allow-fs-write=*', '--experimental-permission'); +missingOption('--allow-fs-read=*', '--permission'); +missingOption('--allow-fs-write=*', '--permission'); function missingOption(option, requiredOption) { const r = spawnSync(process.execPath, [option], { encoding: 'utf8' }); diff --git a/test/parallel/test-cli-permission-deny-fs.js b/test/parallel/test-cli-permission-deny-fs.js index d38c4a61adbcfc..d5744cac94db3d 100644 --- a/test/parallel/test-cli-permission-deny-fs.js +++ b/test/parallel/test-cli-permission-deny-fs.js @@ -12,7 +12,7 @@ const path = require('path'); const { status, stdout } = spawnSync( process.execPath, [ - '--experimental-permission', '-e', + '--permission', '-e', `console.log(process.permission.has("fs")); console.log(process.permission.has("fs.read")); console.log(process.permission.has("fs.write"));`, @@ -31,7 +31,7 @@ const path = require('path'); const { status, stdout } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-write', tmpPath, '-e', `console.log(process.permission.has("fs")); console.log(process.permission.has("fs.read")); @@ -51,7 +51,7 @@ const path = require('path'); const { status, stdout } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-write', '*', '-e', `console.log(process.permission.has("fs")); console.log(process.permission.has("fs.read")); @@ -70,7 +70,7 @@ const path = require('path'); const { status, stdout } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read', '*', '-e', `console.log(process.permission.has("fs")); console.log(process.permission.has("fs.read")); @@ -89,7 +89,7 @@ const path = require('path'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-write=*', '-p', 'fs.readFileSync(process.execPath)', ] @@ -104,7 +104,7 @@ const path = require('path'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '-p', 'fs.readFileSync(process.execPath)', ] @@ -119,7 +119,7 @@ const path = require('path'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read=*', '-p', 'fs.writeFileSync("policy-deny-example.md", "# test")', ] @@ -145,7 +145,7 @@ const path = require('path'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${firstPath}`, file, ] diff --git a/test/parallel/test-cli-permission-multiple-allow.js b/test/parallel/test-cli-permission-multiple-allow.js index 57ce15535300d5..3ff1935e7de1f4 100644 --- a/test/parallel/test-cli-permission-multiple-allow.js +++ b/test/parallel/test-cli-permission-multiple-allow.js @@ -12,7 +12,7 @@ const path = require('path'); const { status, stdout } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-write', tmpPath, '--allow-fs-write', otherPath, '-e', `console.log(process.permission.has("fs")); console.log(process.permission.has("fs.read")); @@ -36,7 +36,7 @@ const path = require('path'); const { status, stdout } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-write', tmpPath, '--allow-fs-write', @@ -63,7 +63,7 @@ const path = require('path'); const { status, stdout, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read=*', `--allow-fs-write=${filePath}`, '-e', diff --git a/test/parallel/test-compile-cache-api-permission.js b/test/parallel/test-compile-cache-api-permission.js index 4163cadce1428f..1a0123161b1c36 100644 --- a/test/parallel/test-compile-cache-api-permission.js +++ b/test/parallel/test-compile-cache-api-permission.js @@ -26,7 +26,7 @@ const fs = require('fs'); spawnSyncAndAssert( process.execPath, [ - '--experimental-permission', `--allow-fs-read=${scriptDir}`, `--allow-fs-write=${scriptDir}`, + '--permission', `--allow-fs-read=${scriptDir}`, `--allow-fs-write=${scriptDir}`, '-r', wrapper, empty, ], { diff --git a/test/parallel/test-compile-cache-permission-allowed.js b/test/parallel/test-compile-cache-permission-allowed.js index 76dbfab720d8df..43ce4c274780db 100644 --- a/test/parallel/test-compile-cache-permission-allowed.js +++ b/test/parallel/test-compile-cache-permission-allowed.js @@ -23,7 +23,7 @@ function testAllowed(readDir, writeDir, envDir) { spawnSyncAndAssert( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${dummyDir}`, `--allow-fs-read=${readDir}`, `--allow-fs-write=${writeDir}`, @@ -47,7 +47,7 @@ function testAllowed(readDir, writeDir, envDir) { spawnSyncAndAssert( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${dummyDir}`, `--allow-fs-read=${readDir}`, `--allow-fs-write=${writeDir}`, diff --git a/test/parallel/test-compile-cache-permission-disallowed.js b/test/parallel/test-compile-cache-permission-disallowed.js index dbbb38fb99f240..9870de81c5d031 100644 --- a/test/parallel/test-compile-cache-permission-disallowed.js +++ b/test/parallel/test-compile-cache-permission-disallowed.js @@ -24,7 +24,7 @@ function testDisallowed(dummyDir, cacheDirInPermission, cacheDirInEnv) { spawnSyncAndAssert( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${dummyDir}`, // No read or write permission for cache dir. `--allow-fs-write=${dummyDir}`, script, @@ -47,7 +47,7 @@ function testDisallowed(dummyDir, cacheDirInPermission, cacheDirInEnv) { spawnSyncAndAssert( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${dummyDir}`, `--allow-fs-read=${cacheDirInPermission}`, // Read-only `--allow-fs-write=${dummyDir}`, @@ -71,7 +71,7 @@ function testDisallowed(dummyDir, cacheDirInPermission, cacheDirInEnv) { spawnSyncAndAssert( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${dummyDir}`, `--allow-fs-write=${cacheDirInPermission}`, // Write-only script, diff --git a/test/parallel/test-permission-allow-addons-cli.js b/test/parallel/test-permission-allow-addons-cli.js index 2254d9920cbe71..484f16e0acb3b5 100644 --- a/test/parallel/test-permission-allow-addons-cli.js +++ b/test/parallel/test-permission-allow-addons-cli.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-addons --allow-fs-read=* +// Flags: --permission --allow-addons --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-allow-child-process-cli.js b/test/parallel/test-permission-allow-child-process-cli.js index d805c6fb973c3c..1569b2b5e87459 100644 --- a/test/parallel/test-permission-allow-child-process-cli.js +++ b/test/parallel/test-permission-allow-child-process-cli.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-child-process --allow-fs-read=* +// Flags: --permission --allow-child-process --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-allow-wasi-cli.js b/test/parallel/test-permission-allow-wasi-cli.js index f6f1cfe3c895fb..c6bea9fb39cf0a 100644 --- a/test/parallel/test-permission-allow-wasi-cli.js +++ b/test/parallel/test-permission-allow-wasi-cli.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-wasi --allow-fs-read=* +// Flags: --permission --allow-wasi --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-allow-worker-cli.js b/test/parallel/test-permission-allow-worker-cli.js index ae5a28fdae3597..3dcafea7a3fa35 100644 --- a/test/parallel/test-permission-allow-worker-cli.js +++ b/test/parallel/test-permission-allow-worker-cli.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-worker --allow-fs-read=* +// Flags: --permission --allow-worker --allow-fs-read=* 'use strict'; require('../common'); diff --git a/test/parallel/test-permission-child-process-cli.js b/test/parallel/test-permission-child-process-cli.js index 76586a1c538bed..dfea008a60407b 100644 --- a/test/parallel/test-permission-child-process-cli.js +++ b/test/parallel/test-permission-child-process-cli.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --permission --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-experimental.js b/test/parallel/test-permission-experimental.js deleted file mode 100644 index bec66e5a731a95..00000000000000 --- a/test/parallel/test-permission-experimental.js +++ /dev/null @@ -1,13 +0,0 @@ -// Flags: --experimental-permission --allow-fs-read=* -'use strict'; - -const common = require('../common'); -common.skipIfWorker(); -const assert = require('assert'); - -// This test ensures that the experimental message is emitted -// when using permission system - -process.on('warning', common.mustCall((warning) => { - assert.match(warning.message, /Permission is an experimental feature/); -}, 1)); diff --git a/test/parallel/test-permission-fs-absolute-path.js b/test/parallel/test-permission-fs-absolute-path.js index b7897743941d2e..2c2257052c8b02 100644 --- a/test/parallel/test-permission-fs-absolute-path.js +++ b/test/parallel/test-permission-fs-absolute-path.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -13,7 +13,7 @@ const { spawnSync } = require('child_process'); const { status, stdout } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read', '*', '--allow-fs-write', path.resolve('../fixtures/permission/deny/regular-file.md'), '-e', diff --git a/test/parallel/test-permission-fs-internal-module-stat.js b/test/parallel/test-permission-fs-internal-module-stat.js index f0b9d86f0809a8..fd0222cc34fa2e 100644 --- a/test/parallel/test-permission-fs-internal-module-stat.js +++ b/test/parallel/test-permission-fs-internal-module-stat.js @@ -1,4 +1,4 @@ -// Flags: --expose-internals --experimental-permission --allow-fs-read=test/common* --allow-fs-read=tools* --allow-fs-read=test/parallel* --allow-child-process +// Flags: --expose-internals --permission --allow-fs-read=test/common* --allow-fs-read=tools* --allow-fs-read=test/parallel* --allow-child-process 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-fs-read.js b/test/parallel/test-permission-fs-read.js index 5be993c9df6be5..ed8e866a6a4c10 100644 --- a/test/parallel/test-permission-fs-read.js +++ b/test/parallel/test-permission-fs-read.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-fs-write=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process 'use strict'; const common = require('../common'); @@ -28,7 +28,7 @@ const commonPath = path.join(__filename, '../../common'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, file, + '--permission', `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, file, ], { env: { diff --git a/test/parallel/test-permission-fs-relative-path.js b/test/parallel/test-permission-fs-relative-path.js index 628e9918660088..3b115ee35d1227 100644 --- a/test/parallel/test-permission-fs-relative-path.js +++ b/test/parallel/test-permission-fs-relative-path.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -12,7 +12,7 @@ const { spawnSync } = require('child_process'); const { status, stdout } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read', '*', '--allow-fs-write', '../fixtures/permission/deny/regular-file.md', '-e', diff --git a/test/parallel/test-permission-fs-require.js b/test/parallel/test-permission-fs-require.js index 6a2e9201dac7b4..5d3a407708371e 100644 --- a/test/parallel/test-permission-fs-require.js +++ b/test/parallel/test-permission-fs-require.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -14,7 +14,7 @@ const { spawnSync } = require('node:child_process'); const { status, stdout, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read', mainModule, '--allow-fs-read', requiredModule, mainModule, @@ -31,7 +31,7 @@ const { spawnSync } = require('node:child_process'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read', mainModule, mainModule, ] @@ -48,7 +48,7 @@ const { spawnSync } = require('node:child_process'); const { status, stdout, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read', mainModule, '--allow-fs-read', requiredModule, mainModule, @@ -65,7 +65,7 @@ const { spawnSync } = require('node:child_process'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read', mainModule, mainModule, ] diff --git a/test/parallel/test-permission-fs-symlink-relative.js b/test/parallel/test-permission-fs-symlink-relative.js index 4cc7d920593c23..cf9b37ea79b059 100644 --- a/test/parallel/test-permission-fs-symlink-relative.js +++ b/test/parallel/test-permission-fs-symlink-relative.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-fs-write=* +// Flags: --permission --allow-fs-read=* --allow-fs-write=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-fs-symlink-target-write.js b/test/parallel/test-permission-fs-symlink-target-write.js index e2b4aa2a657442..f55b19fa764a89 100644 --- a/test/parallel/test-permission-fs-symlink-target-write.js +++ b/test/parallel/test-permission-fs-symlink-target-write.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-fs-write=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process 'use strict'; const common = require('../common'); @@ -35,7 +35,7 @@ fs.writeFileSync(path.join(readWriteFolder, 'file'), 'NO evil file contents'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, `--allow-fs-read=${readOnlyFolder}`, `--allow-fs-read=${readWriteFolder}`, `--allow-fs-write=${readWriteFolder}`, `--allow-fs-write=${writeOnlyFolder}`, file, diff --git a/test/parallel/test-permission-fs-symlink.js b/test/parallel/test-permission-fs-symlink.js index c7d753c267c1e7..92965c960177d4 100644 --- a/test/parallel/test-permission-fs-symlink.js +++ b/test/parallel/test-permission-fs-symlink.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-fs-write=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process 'use strict'; const common = require('../common'); @@ -36,7 +36,7 @@ const symlinkFromBlockedFile = tmpdir.resolve('example-symlink.md'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, `--allow-fs-read=${symlinkFromBlockedFile}`, `--allow-fs-write=${symlinkFromBlockedFile}`, file, diff --git a/test/parallel/test-permission-fs-traversal-path.js b/test/parallel/test-permission-fs-traversal-path.js index d618c3e4f79879..03571c2d01c861 100644 --- a/test/parallel/test-permission-fs-traversal-path.js +++ b/test/parallel/test-permission-fs-traversal-path.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-fs-write=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process 'use strict'; const common = require('../common'); @@ -30,7 +30,7 @@ const commonPathWildcard = path.join(__filename, '../../common*'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, `--allow-fs-read=${allowedFolder}`, `--allow-fs-write=${allowedFolder}`, file, diff --git a/test/parallel/test-permission-fs-wildcard.js b/test/parallel/test-permission-fs-wildcard.js index 7aa8c34fd65cb1..adca56ed0dba6d 100644 --- a/test/parallel/test-permission-fs-wildcard.js +++ b/test/parallel/test-permission-fs-wildcard.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -31,7 +31,7 @@ if (common.isWindows) { const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', ...allowList.flatMap((path) => ['--allow-fs-read', path]), '-e', ` @@ -66,7 +66,7 @@ if (common.isWindows) { const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', ...allowList.flatMap((path) => ['--allow-fs-read', path]), '-e', ` @@ -91,7 +91,7 @@ if (common.isWindows) { const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, ...allowList.flatMap((path) => ['--allow-fs-read', path]), file, ], @@ -104,7 +104,7 @@ if (common.isWindows) { const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read=/a/b/*', '--allow-fs-read=/a/b/d', '--allow-fs-read=/etc/passwd.*', diff --git a/test/parallel/test-permission-fs-windows-path.js b/test/parallel/test-permission-fs-windows-path.js index 552f8e1c21694b..6869b347cf283f 100644 --- a/test/parallel/test-permission-fs-windows-path.js +++ b/test/parallel/test-permission-fs-windows-path.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -13,7 +13,7 @@ if (!common.isWindows) { { const { stdout, status } = spawnSync(process.execPath, [ - '--experimental-permission', '--allow-fs-write', 'C:\\\\', '-e', + '--permission', '--allow-fs-write', 'C:\\\\', '-e', 'console.log(process.permission.has("fs.write", "C:\\\\"))', ]); assert.strictEqual(stdout.toString(), 'true\n'); @@ -22,7 +22,7 @@ if (!common.isWindows) { { const { stdout, status, stderr } = spawnSync(process.execPath, [ - '--experimental-permission', '--allow-fs-write="\\\\?\\C:\\"', '-e', + '--permission', '--allow-fs-write="\\\\?\\C:\\"', '-e', 'console.log(process.permission.has("fs.write", "C:\\\\"))', ]); assert.strictEqual(stdout.toString(), 'false\n', stderr.toString()); @@ -31,7 +31,7 @@ if (!common.isWindows) { { const { stdout, status, stderr } = spawnSync(process.execPath, [ - '--experimental-permission', '--allow-fs-write', 'C:\\', '-e', + '--permission', '--allow-fs-write', 'C:\\', '-e', `const path = require('path'); console.log(process.permission.has('fs.write', path.toNamespacedPath('C:\\\\')))`, ]); @@ -41,7 +41,7 @@ if (!common.isWindows) { { const { stdout, status, stderr } = spawnSync(process.execPath, [ - '--experimental-permission', '--allow-fs-write', 'C:\\*', '-e', + '--permission', '--allow-fs-write', 'C:\\*', '-e', "console.log(process.permission.has('fs.write', '\\\\\\\\A\\\\C:\\Users'))", ]); assert.strictEqual(stdout.toString(), 'false\n', stderr.toString()); diff --git a/test/parallel/test-permission-fs-write-report.js b/test/parallel/test-permission-fs-write-report.js index c8f6673de03d83..111f73b7bcc1ed 100644 --- a/test/parallel/test-permission-fs-write-report.js +++ b/test/parallel/test-permission-fs-write-report.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --permission --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-fs-write-v8.js b/test/parallel/test-permission-fs-write-v8.js index bb33c307544a37..85cb9a5519b3af 100644 --- a/test/parallel/test-permission-fs-write-v8.js +++ b/test/parallel/test-permission-fs-write-v8.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --permission --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-fs-write.js b/test/parallel/test-permission-fs-write.js index 626c00e5c007a2..34eab7a40005db 100644 --- a/test/parallel/test-permission-fs-write.js +++ b/test/parallel/test-permission-fs-write.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -24,7 +24,7 @@ const file = fixtures.path('permission', 'fs-write.js'); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read=*', `--allow-fs-write=${regularFile}`, `--allow-fs-write=${commonPath}`, file, diff --git a/test/parallel/test-permission-has.js b/test/parallel/test-permission-has.js index 3be45c5b2a410a..bf23af014c7a40 100644 --- a/test/parallel/test-permission-has.js +++ b/test/parallel/test-permission-has.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --permission --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-inspector-brk.js b/test/parallel/test-permission-inspector-brk.js index e1bd8e9bbb0a34..61c9c799ba7eb6 100644 --- a/test/parallel/test-permission-inspector-brk.js +++ b/test/parallel/test-permission-inspector-brk.js @@ -14,7 +14,7 @@ common.skipIfInspectorDisabled(); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--allow-fs-read=*', '--inspect-brk', file, @@ -29,7 +29,7 @@ common.skipIfInspectorDisabled(); const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '--inspect-brk', '--eval', 'console.log("Hi!")', diff --git a/test/parallel/test-permission-inspector.js b/test/parallel/test-permission-inspector.js index d4afd8d93bc2f7..9d3bf485fc4348 100644 --- a/test/parallel/test-permission-inspector.js +++ b/test/parallel/test-permission-inspector.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* --allow-child-process +// Flags: --permission --allow-fs-read=* --allow-child-process 'use strict'; const common = require('../common'); @@ -26,7 +26,7 @@ if (!common.hasCrypto) const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', + '--permission', '-e', '(new (require("inspector")).Session()).connect()', ], diff --git a/test/parallel/test-permission-no-addons.js b/test/parallel/test-permission-no-addons.js index 4a1fc635a99bc7..a3ae6f4be10641 100644 --- a/test/parallel/test-permission-no-addons.js +++ b/test/parallel/test-permission-no-addons.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --permission --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-processbinding.js b/test/parallel/test-permission-processbinding.js index 0dd6fd450152cd..47a1364f19e303 100644 --- a/test/parallel/test-permission-processbinding.js +++ b/test/parallel/test-permission-processbinding.js @@ -13,13 +13,13 @@ const fixtures = require('../common/fixtures'); const file = fixtures.path('permission', 'processbinding.js'); // Due to linting rules-utils.js:isBinding check, process.binding() should -// not be called when --experimental-permission is enabled. +// not be called when --permission is enabled. // Always spawn a child process { const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', '--allow-fs-read=*', file, + '--permission', '--allow-fs-read=*', file, ], ); assert.strictEqual(status, 0, stderr.toString()); diff --git a/test/parallel/test-permission-warning-flags.js b/test/parallel/test-permission-warning-flags.js index 87fcb7ff7f3158..9b20248eae18e9 100644 --- a/test/parallel/test-permission-warning-flags.js +++ b/test/parallel/test-permission-warning-flags.js @@ -15,7 +15,7 @@ for (const flag of warnFlags) { const { status, stderr } = spawnSync( process.execPath, [ - '--experimental-permission', flag, '-e', + '--permission', flag, '-e', 'setTimeout(() => {}, 1)', ] ); diff --git a/test/parallel/test-permission-wasi.js b/test/parallel/test-permission-wasi.js index 1a6cde013097b7..01291e685570f3 100644 --- a/test/parallel/test-permission-wasi.js +++ b/test/parallel/test-permission-wasi.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --permission --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-permission-worker-threads-cli.js b/test/parallel/test-permission-worker-threads-cli.js index e817a7877226c1..efd98b2a3881aa 100644 --- a/test/parallel/test-permission-worker-threads-cli.js +++ b/test/parallel/test-permission-worker-threads-cli.js @@ -1,4 +1,4 @@ -// Flags: --experimental-permission --allow-fs-read=* +// Flags: --permission --allow-fs-read=* 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-process-load-env-file.js b/test/parallel/test-process-load-env-file.js index 795b8773d955cb..1dada3aa9b7016 100644 --- a/test/parallel/test-process-load-env-file.js +++ b/test/parallel/test-process-load-env-file.js @@ -78,7 +78,7 @@ describe('process.loadEnvFile()', () => { `.trim(); const child = await common.spawnPromisified( process.execPath, - [ '--eval', code, '--experimental-permission' ], + [ '--eval', code, '--permission' ], { cwd: __dirname }, ); assert.match(child.stderr, /Error: Access to this API has been restricted/); diff --git a/test/parallel/test-repl-permission-model.js b/test/parallel/test-repl-permission-model.js index 66f2a147652f8d..938f5121163a23 100644 --- a/test/parallel/test-repl-permission-model.js +++ b/test/parallel/test-repl-permission-model.js @@ -1,6 +1,6 @@ 'use strict'; -// Flags: --expose-internals --experimental-permission --allow-fs-read=* +// Flags: --expose-internals --permission --allow-fs-read=* const common = require('../common'); const stream = require('stream'); diff --git a/tools/run-worker.js b/tools/run-worker.js index 20f03f53e12184..f4ede8628e5fd4 100644 --- a/tools/run-worker.js +++ b/tools/run-worker.js @@ -7,7 +7,7 @@ if (typeof require === 'undefined') { const path = require('path'); const { Worker } = require('worker_threads'); -// When --experimental-permission is enabled, the process +// When --permission is enabled, the process // aren't able to spawn any worker unless --allow-worker is passed. // Therefore, we skip the permission tests for custom-suites-freestyle if (process.permission && !process.permission.has('worker')) {