policy: ensure workers do not read fs for policy

This prevents a main thread from rewriting the policy file and loading
a worker that has a different policy from the main thread.

PR-URL: https://github.com/nodejs/node/pull/25710
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>

1 files changed, 97 insertions, 9 deletions

diff --git a/test/parallel/test-policy-integrity.js b/test/parallel/test-policy-integrity.js
index 5c1ea4fc4e..86d1078d9f 100644
--- a/test/parallel/test-policy-integrity.js
+++ b/test/parallel/test-policy-integrity.js
@@ -33,6 +33,17 @@ const parentFilepath = path.join(tmpdir.path, 'parent.js');
 const parentURL = pathToFileURL(parentFilepath);
 const parentBody = 'require(\'./dep.js\')';
 
+const workerSpawningFilepath = path.join(tmpdir.path, 'worker_spawner.js');
+const workerSpawningURL = pathToFileURL(workerSpawningFilepath);
+const workerSpawningBody = `
+const { Worker } = require('worker_threads');
+// make sure this is gone to ensure we don't do another fs read of it
+// will error out if we do
+require('fs').unlinkSync(${JSON.stringify(policyFilepath)});
+const w = new Worker(${JSON.stringify(parentFilepath)});
+w.on('exit', process.exit);
+`;
+
 const depFilepath = path.join(tmpdir.path, 'dep.js');
 const depURL = pathToFileURL(depFilepath);
 const depBody = '';
@@ -49,8 +60,9 @@ if (!tmpdirURL.pathname.endsWith('/')) {
 }
 function test({
   shouldFail = false,
+  preload = [],
   entry,
-  onerror,
+  onerror = undefined,
   resources = {}
 }) {
   const manifest = {
@@ -65,7 +77,9 @@ function test({
   }
   fs.writeFileSync(policyFilepath, JSON.stringify(manifest, null, 2));
   const { status } = spawnSync(process.execPath, [
-    '--experimental-policy', policyFilepath, entry
+    '--experimental-policy', policyFilepath,
+    ...preload.map((m) => ['-r', m]).flat(),
+    entry
   ]);
   if (shouldFail) {
     assert.notStrictEqual(status, 0);
@@ -74,13 +88,25 @@ function test({
   }
 }
 
-const { status } = spawnSync(process.execPath, [
-  '--experimental-policy', policyFilepath,
-  '--experimental-policy', policyFilepath
-], {
-  stdio: 'pipe'
-});
-assert.notStrictEqual(status, 0, 'Should not allow multiple policies');
+{
+  const { status } = spawnSync(process.execPath, [
+    '--experimental-policy', policyFilepath,
+    '--experimental-policy', policyFilepath
+  ], {
+    stdio: 'pipe'
+  });
+  assert.notStrictEqual(status, 0, 'Should not allow multiple policies');
+}
+{
+  const enoentFilepath = path.join(tmpdir.path, 'enoent');
+  try { fs.unlinkSync(enoentFilepath); } catch {}
+  const { status } = spawnSync(process.execPath, [
+    '--experimental-policy', enoentFilepath, '-e', ''
+  ], {
+    stdio: 'pipe'
+  });
+  assert.notStrictEqual(status, 0, 'Should not allow missing policies');
+}
 
 test({
   shouldFail: true,
@@ -196,6 +222,21 @@ test({
   }
 });
 test({
+  shouldFail: false,
+  preload: [depFilepath],
+  entry: parentFilepath,
+  resources: {
+    [parentURL]: {
+      body: parentBody,
+      match: true,
+    },
+    [depURL]: {
+      body: depBody,
+      match: true,
+    }
+  }
+});
+test({
   shouldFail: true,
   entry: parentFilepath,
   resources: {
@@ -295,3 +336,50 @@ test({
     }
   }
 });
+test({
+  shouldFail: true,
+  entry: workerSpawningFilepath,
+  resources: {
+    [workerSpawningURL]: {
+      body: workerSpawningBody,
+      match: true,
+    },
+  }
+});
+test({
+  shouldFail: false,
+  entry: workerSpawningFilepath,
+  resources: {
+    [workerSpawningURL]: {
+      body: workerSpawningBody,
+      match: true,
+    },
+    [parentURL]: {
+      body: parentBody,
+      match: true,
+    },
+    [depURL]: {
+      body: depBody,
+      match: true,
+    }
+  }
+});
+test({
+  shouldFail: false,
+  entry: workerSpawningFilepath,
+  preload: [parentFilepath],
+  resources: {
+    [workerSpawningURL]: {
+      body: workerSpawningBody,
+      match: true,
+    },
+    [parentURL]: {
+      body: parentBody,
+      match: true,
+    },
+    [depURL]: {
+      body: depBody,
+      match: true,
+    }
+  }
+});