permission,dns: add permission for dns

Author: theanarkh

doc/api/cli.md

@@ -357,6 +357,48 @@ Error: Access to this API has been restricted
 }
 ```
 
+### `--allow-net-dns`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+When using the [Permission Model][], the process will not be able to make dns query
+by default.
+Attempts to do so will throw an `ERR_ACCESS_DENIED` unless the
+user explicitly passes the `--allow-net-dns` flag when starting Node.js.
+
+Example:
+
+```js
+const dns = require('node:dns');
+dns.lookup("localhost", () => {});
+```
+
+```console
+$ node --experimental-permission --allow-fs-read=\* index.js
+node:dns:235
+  const err = cares.getaddrinfo(
+                    ^
+
+Error: Access to this API has been restricted
+    at Object.lookup (node:dns:235:21)
+    at Object.<anonymous> (/home/index.js:2:5)
+    at Module._compile (node:internal/modules/cjs/loader:1460:14)
+    at Module._extensions..js (node:internal/modules/cjs/loader:1544:10)
+    at Module.load (node:internal/modules/cjs/loader:1275:32)
+    at Module._load (node:internal/modules/cjs/loader:1091:12)
+    at wrapModuleLoad (node:internal/modules/cjs/loader:212:19)
+    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:158:5)
+    at node:internal/main/run_main_module:30:49 {
+  code: 'ERR_ACCESS_DENIED',
+  permission: 'NetDNS',
+  resource: 'lookup'
+}
+```
+
 ### `--build-snapshot`
 
 <!-- YAML
@@ -1012,6 +1054,7 @@ following permissions are restricted:
 * Child Process - manageable through [`--allow-child-process`][] flag
 * Worker Threads - manageable through [`--allow-worker`][] flag
 * WASI - manageable through [`--allow-wasi`][] flag
+* DNS - manageable through [`--allow-net-dns`][] flag
 
 ### `--experimental-require-module`
 
@@ -2804,6 +2847,7 @@ one is included in the list below.
 * `--allow-child-process`
 * `--allow-fs-read`
 * `--allow-fs-write`
+* `--allow-net-dns`
 * `--allow-wasi`
 * `--allow-worker`
 * `--conditions`, `-C`
@@ -3356,6 +3400,7 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
 [`--allow-child-process`]: #--allow-child-process
 [`--allow-fs-read`]: #--allow-fs-read
 [`--allow-fs-write`]: #--allow-fs-write
+[`--allow-net-dns`]: #--allow-net-dns
 [`--allow-wasi`]: #--allow-wasi
 [`--allow-worker`]: #--allow-worker
 [`--build-snapshot`]: #--build-snapshot

doc/api/permissions.md

@@ -507,7 +507,8 @@ Allowing access to spawning a process and creating worker threads can be done
 using the [`--allow-child-process`][] and [`--allow-worker`][] respectively.
 
 To allow native addons when using permission model, use the [`--allow-addons`][]
-flag. For WASI, use the [`--allow-wasi`][] flag.
+flag. For WASI, use the [`--allow-wasi`][] flag. For DNS, use the [`--allow-net-dns`][]
+flag.
 
 #### Runtime API
 
@@ -575,6 +576,7 @@ There are constraints you need to know before using this system:
   * Inspector protocol
   * File system access
   * WASI
+  * DNS
 * The Permission Model is initialized after the Node.js environment is set up.
   However, certain flags such as `--env-file` or `--openssl-config` are designed
   to read files before environment initialization. As a result, such flags are
@@ -598,6 +600,7 @@ There are constraints you need to know before using this system:
 [`--allow-child-process`]: cli.md#--allow-child-process
 [`--allow-fs-read`]: cli.md#--allow-fs-read
 [`--allow-fs-write`]: cli.md#--allow-fs-write
+[`--allow-net-dns`]: cli.md#--allow-net-dns
 [`--allow-wasi`]: cli.md#--allow-wasi
 [`--allow-worker`]: cli.md#--allow-worker
 [`--experimental-permission`]: cli.md#--experimental-permission

doc/node.1

@@ -94,6 +94,9 @@ Allow execution of WASI when using the permission model.
 .It Fl -allow-worker
 Allow creating worker threads when using the permission model.
 .
+.It Fl -allow-net-dns
+Allow execution of DNS when using the permission model.
+.
 .It Fl -completion-bash
 Print source-able bash completion script for Node.js.
 .

lib/internal/process/pre_execution.js

@@ -530,6 +530,7 @@ function initializePermission() {
     const warnFlags = [
       '--allow-addons',
       '--allow-child-process',
+      '--allow-net-dns',
       '--allow-wasi',
       '--allow-worker',
     ];
@@ -574,6 +575,7 @@ function initializePermission() {
       '--allow-child-process',
       '--allow-wasi',
       '--allow-worker',
+      '--allow-net-dns',
     ];
     ArrayPrototypeForEach(availablePermissionFlags, (flag) => {
       const value = getOptionValue(flag);

node.gyp

@@ -155,6 +155,7 @@
       'src/permission/permission.cc',
       'src/permission/wasi_permission.cc',
       'src/permission/worker_permission.cc',
+      'src/permission/net_dns_permission.cc',
       'src/pipe_wrap.cc',
       'src/process_wrap.cc',
       'src/signal_wrap.cc',
@@ -280,6 +281,7 @@
       'src/permission/permission.h',
       'src/permission/wasi_permission.h',
       'src/permission/worker_permission.h',
+      'src/permission/net_dns_permission.h',
       'src/pipe_wrap.h',
       'src/req_wrap.h',
       'src/req_wrap-inl.h',

src/cares_wrap.cc

@@ -29,6 +29,7 @@
 #include "node.h"
 #include "node_errors.h"
 #include "node_external_reference.h"
+#include "permission/permission.h"
 #include "req_wrap-inl.h"
 #include "util-inl.h"
 #include "uv.h"
@@ -1417,6 +1418,8 @@ static void Query(const FunctionCallbackInfo<Value>& args) {
   node::Utf8Value utf8name(env->isolate(), string);
   auto plain_name = utf8name.ToStringView();
   std::string name = ada::idna::to_ascii(plain_name);
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kNetDNS, name);
   channel->ModifyActivityQueryCount(1);
   int err = wrap->Send(name.c_str());
   if (err) {
@@ -1429,7 +1432,6 @@ static void Query(const FunctionCallbackInfo<Value>& args) {
   args.GetReturnValue().Set(err);
 }
 
-
 void AfterGetAddrInfo(uv_getaddrinfo_t* req, int status, struct addrinfo* res) {
   auto cleanup = OnScopeLeave([&]() { uv_freeaddrinfo(res); });
   BaseObjectPtr<GetAddrInfoReqWrap> req_wrap{
@@ -1568,15 +1570,15 @@ void CanonicalizeIP(const FunctionCallbackInfo<Value>& args) {
 
 void GetAddrInfo(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
-
   CHECK(args[0]->IsObject());
   CHECK(args[1]->IsString());
   CHECK(args[2]->IsInt32());
   CHECK(args[4]->IsUint32());
   Local<Object> req_wrap_obj = args[0].As<Object>();
   node::Utf8Value hostname(env->isolate(), args[1]);
   std::string ascii_hostname = ada::idna::to_ascii(hostname.ToStringView());
-
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kNetDNS, ascii_hostname);
   int32_t flags = 0;
   if (args[3]->IsInt32()) {
     flags = args[3].As<Int32>()->Value();
@@ -1639,7 +1641,10 @@ void GetNameInfo(const FunctionCallbackInfo<Value>& args) {
   node::Utf8Value ip(env->isolate(), args[1]);
   const unsigned port = args[2]->Uint32Value(env->context()).FromJust();
   struct sockaddr_storage addr;
-
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env,
+      permission::PermissionScope::kNetDNS,
+      (*ip + std::string(":") + std::to_string(port)));
   CHECK(uv_ip4_addr(*ip, port, reinterpret_cast<sockaddr_in*>(&addr)) == 0 ||
         uv_ip6_addr(*ip, port, reinterpret_cast<sockaddr_in6*>(&addr)) == 0);
 

src/env.cc

@@ -936,6 +936,9 @@ Environment::Environment(IsolateData* isolate_data,
                           options_->allow_fs_write,
                           permission::PermissionScope::kFileSystemWrite);
     }
+    if (!options_->allow_net_dns) {
+      permission()->Apply(this, {"*"}, permission::PermissionScope::kNetDNS);
+    }
   }
 }
 

src/node_options.cc

@@ -464,6 +464,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "allow worker threads when any permissions are set",
             &EnvironmentOptions::allow_worker_threads,
             kAllowedInEnvvar);
+  AddOption("--allow-net-dns",
+            "allow dns when any permissions are set",
+            &EnvironmentOptions::allow_net_dns,
+            kAllowedInEnvvar);
   AddOption("--experimental-repl-await",
             "experimental await keyword support in REPL",
             &EnvironmentOptions::experimental_repl_await,

src/node_options.h

@@ -132,6 +132,7 @@ class EnvironmentOptions : public Options {
   bool allow_child_process = false;
   bool allow_wasi = false;
   bool allow_worker_threads = false;
+  bool allow_net_dns = false;
   bool experimental_repl_await = true;
   bool experimental_vm_modules = false;
   bool expose_internals = false;

src/permission/net_dns_permission.cc

@@ -0,0 +1,23 @@
+#include "net_dns_permission.h"
+
+#include <string>
+#include <vector>
+
+namespace node {
+
+namespace permission {
+
+void NetDNSPermission::Apply(Environment* env,
+                             const std::vector<std::string>& allow,
+                             PermissionScope scope) {
+  deny_all_ = true;
+}
+
+bool NetDNSPermission::is_granted(Environment* env,
+                                  PermissionScope perm,
+                                  const std::string_view& param) const {
+  return deny_all_ == false;
+}
+
+}  // namespace permission
+}  // namespace node