diff options
author | Bradley Farias <bradley.meck@gmail.com> | 2019-01-23 16:21:46 -0600 |
---|---|---|
committer | Daniel Bevenius <daniel.bevenius@gmail.com> | 2019-01-29 08:08:50 +0100 |
commit | 78982389ce9265f5f65cd9e8a192e05389506927 (patch) | |
tree | eb20a408615edbc768ed025470c30e6ef5927f4e /test/parallel | |
parent | d4d76b6be07841e4416fc5ab1445b73638fcea6a (diff) | |
download | android-node-v8-78982389ce9265f5f65cd9e8a192e05389506927.tar.gz android-node-v8-78982389ce9265f5f65cd9e8a192e05389506927.tar.bz2 android-node-v8-78982389ce9265f5f65cd9e8a192e05389506927.zip |
policy: ensure workers do not read fs for policy
This prevents a main thread from rewriting the policy file and loading
a worker that has a different policy from the main thread.
PR-URL: https://github.com/nodejs/node/pull/25710
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Diffstat (limited to 'test/parallel')
-rw-r--r-- | test/parallel/test-policy-integrity.js | 106 |
1 files changed, 97 insertions, 9 deletions
diff --git a/test/parallel/test-policy-integrity.js b/test/parallel/test-policy-integrity.js index 5c1ea4fc4e..86d1078d9f 100644 --- a/test/parallel/test-policy-integrity.js +++ b/test/parallel/test-policy-integrity.js @@ -33,6 +33,17 @@ const parentFilepath = path.join(tmpdir.path, 'parent.js'); const parentURL = pathToFileURL(parentFilepath); const parentBody = 'require(\'./dep.js\')'; +const workerSpawningFilepath = path.join(tmpdir.path, 'worker_spawner.js'); +const workerSpawningURL = pathToFileURL(workerSpawningFilepath); +const workerSpawningBody = ` +const { Worker } = require('worker_threads'); +// make sure this is gone to ensure we don't do another fs read of it +// will error out if we do +require('fs').unlinkSync(${JSON.stringify(policyFilepath)}); +const w = new Worker(${JSON.stringify(parentFilepath)}); +w.on('exit', process.exit); +`; + const depFilepath = path.join(tmpdir.path, 'dep.js'); const depURL = pathToFileURL(depFilepath); const depBody = ''; @@ -49,8 +60,9 @@ if (!tmpdirURL.pathname.endsWith('/')) { } function test({ shouldFail = false, + preload = [], entry, - onerror, + onerror = undefined, resources = {} }) { const manifest = { @@ -65,7 +77,9 @@ function test({ } fs.writeFileSync(policyFilepath, JSON.stringify(manifest, null, 2)); const { status } = spawnSync(process.execPath, [ - '--experimental-policy', policyFilepath, entry + '--experimental-policy', policyFilepath, + ...preload.map((m) => ['-r', m]).flat(), + entry ]); if (shouldFail) { assert.notStrictEqual(status, 0); @@ -74,13 +88,25 @@ function test({ } } -const { status } = spawnSync(process.execPath, [ - '--experimental-policy', policyFilepath, - '--experimental-policy', policyFilepath -], { - stdio: 'pipe' -}); -assert.notStrictEqual(status, 0, 'Should not allow multiple policies'); +{ + const { status } = spawnSync(process.execPath, [ + '--experimental-policy', policyFilepath, + '--experimental-policy', policyFilepath + ], { + stdio: 'pipe' + }); + assert.notStrictEqual(status, 0, 'Should not allow multiple policies'); +} +{ + const enoentFilepath = path.join(tmpdir.path, 'enoent'); + try { fs.unlinkSync(enoentFilepath); } catch {} + const { status } = spawnSync(process.execPath, [ + '--experimental-policy', enoentFilepath, '-e', '' + ], { + stdio: 'pipe' + }); + assert.notStrictEqual(status, 0, 'Should not allow missing policies'); +} test({ shouldFail: true, @@ -196,6 +222,21 @@ test({ } }); test({ + shouldFail: false, + preload: [depFilepath], + entry: parentFilepath, + resources: { + [parentURL]: { + body: parentBody, + match: true, + }, + [depURL]: { + body: depBody, + match: true, + } + } +}); +test({ shouldFail: true, entry: parentFilepath, resources: { @@ -295,3 +336,50 @@ test({ } } }); +test({ + shouldFail: true, + entry: workerSpawningFilepath, + resources: { + [workerSpawningURL]: { + body: workerSpawningBody, + match: true, + }, + } +}); +test({ + shouldFail: false, + entry: workerSpawningFilepath, + resources: { + [workerSpawningURL]: { + body: workerSpawningBody, + match: true, + }, + [parentURL]: { + body: parentBody, + match: true, + }, + [depURL]: { + body: depBody, + match: true, + } + } +}); +test({ + shouldFail: false, + entry: workerSpawningFilepath, + preload: [parentFilepath], + resources: { + [workerSpawningURL]: { + body: workerSpawningBody, + match: true, + }, + [parentURL]: { + body: parentBody, + match: true, + }, + [depURL]: { + body: depBody, + match: true, + } + } +}); |