policy: ensure workers do not read fs for policy

This prevents a main thread from rewriting the policy file and loading
a worker that has a different policy from the main thread.

PR-URL: https://github.com/nodejs/node/pull/25710
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>

4 files changed, 41 insertions, 7 deletions

diff --git a/lib/internal/bootstrap/node.js b/lib/internal/bootstrap/node.js
index 86c0cf7aaf..789d8c1754 100644
--- a/lib/internal/bootstrap/node.js
+++ b/lib/internal/bootstrap/node.js
@@ -181,7 +181,7 @@ function startup() {
 
   // TODO(joyeecheung): move this down further to get better snapshotting
   const experimentalPolicy = getOptionValue('--experimental-policy');
-  if (experimentalPolicy) {
+  if (isMainThread && experimentalPolicy) {
     process.emitWarning('Policies are experimental.',
                         'ExperimentalWarning');
     const { pathToFileURL, URL } = NativeModule.require('url');
@@ -348,8 +348,6 @@ function startup() {
 }
 
 function startWorkerThreadExecution() {
-  prepareUserCodeExecution();
-
   // If we are in a worker thread, execute the script sent through the
   // message port.
   const {
@@ -366,7 +364,9 @@ function startWorkerThreadExecution() {
   debug(`[${threadId}] is setting up worker child environment`);
 
   const port = getEnvMessagePort();
-  port.on('message', createMessageHandler(port));
+  port.on('message', createMessageHandler(
+    port,
+    prepareUserCodeExecution));
   port.start();
 
   // Overwrite fatalException
@@ -460,7 +460,7 @@ function prepareUserCodeExecution() {
 
   // For user code, we preload modules if `-r` is passed
   const preloadModules = getOptionValue('--require');
-  if (preloadModules) {
+  if (preloadModules.length) {
     const {
       _preloadModules
     } = NativeModule.require('internal/modules/cjs/loader');
diff --git a/lib/internal/process/policy.js b/lib/internal/process/policy.js
index 0b037d4ef5..823130e3c1 100644
--- a/lib/internal/process/policy.js
+++ b/lib/internal/process/policy.js
@@ -5,10 +5,14 @@ const {
 } = require('internal/errors').codes;
 const { Manifest } = require('internal/policy/manifest');
 let manifest;
+let manifestSrc;
+let manifestURL;
 
 module.exports = Object.freeze({
   __proto__: null,
   setup(src, url) {
+    manifestSrc = src;
+    manifestURL = url;
     if (src === null) {
       manifest = null;
       return;
@@ -31,6 +35,20 @@ module.exports = Object.freeze({
     return manifest;
   },
 
+  get src() {
+    if (typeof manifestSrc === 'undefined') {
+      throw new ERR_MANIFEST_TDZ();
+    }
+    return manifestSrc;
+  },
+
+  get url() {
+    if (typeof manifestURL === 'undefined') {
+      throw new ERR_MANIFEST_TDZ();
+    }
+    return manifestURL;
+  },
+
   assertIntegrity(moduleURL, content) {
     this.manifest.matchesIntegrity(moduleURL, content);
   }
diff --git a/lib/internal/process/worker_thread_only.js b/lib/internal/process/worker_thread_only.js
index b29bc7a390..2171d2b586 100644
--- a/lib/internal/process/worker_thread_only.js
+++ b/lib/internal/process/worker_thread_only.js
@@ -43,12 +43,24 @@ function initializeWorkerStdio() {
   };
 }
 
-function createMessageHandler(port) {
+function createMessageHandler(port, prepareUserCodeExecution) {
   const publicWorker = require('worker_threads');
 
   return function(message) {
     if (message.type === messageTypes.LOAD_SCRIPT) {
-      const { filename, doEval, workerData, publicPort, hasStdin } = message;
+      const {
+        filename,
+        doEval,
+        workerData,
+        publicPort,
+        manifestSrc,
+        manifestURL,
+        hasStdin
+      } = message;
+      if (manifestSrc) {
+        require('internal/process/policy').setup(manifestSrc, manifestURL);
+      }
+      prepareUserCodeExecution();
       publicWorker.parentPort = publicPort;
       publicWorker.workerData = workerData;
 
diff --git a/lib/internal/worker.js b/lib/internal/worker.js
index e20a37af8a..1640a9dd88 100644
--- a/lib/internal/worker.js
+++ b/lib/internal/worker.js
@@ -12,6 +12,7 @@ const {
   ERR_INVALID_ARG_TYPE,
 } = require('internal/errors').codes;
 const { validateString } = require('internal/validators');
+const { getOptionValue } = require('internal/options');
 
 const {
   drainMessagePort,
@@ -112,6 +113,9 @@ class Worker extends EventEmitter {
       doEval: !!options.eval,
       workerData: options.workerData,
       publicPort: port2,
+      manifestSrc: getOptionValue('--experimental-policy') ?
+        require('internal/process/policy').src :
+        null,
       hasStdin: !!options.stdin
     }, [port2]);
     // Actually start the new thread now that everything is in place.