Skip to content

permission: add --allow-env flag for environment variable access control#62827

Open
nabeel378 wants to merge 8 commits intonodejs:mainfrom
nabeel378:feat/permission-allow-env-flag
Open

permission: add --allow-env flag for environment variable access control#62827
nabeel378 wants to merge 8 commits intonodejs:mainfrom
nabeel378:feat/permission-allow-env-flag

Conversation

@nabeel378
Copy link
Copy Markdown
Contributor

@nabeel378 nabeel378 commented Apr 19, 2026

Adds --allow-env permission flag to control access to environment
variables when the permission model is enabled (--permission).

Supported usage:

  • --allow-env — grants access to all environment variables
  • --allow-env=HOME,PATH — grants access only to specified variables

When --permission is enabled without --allow-env, all calls to
process.env will throw ERR_ACCESS_DENIED.

Fixes: #62424

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 19, 2026

Review requested:

  • @nodejs/config
  • @nodejs/gyp
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Apr 19, 2026
@nabeel378 nabeel378 marked this pull request as draft April 19, 2026 10:23
@nabeel378 nabeel378 force-pushed the feat/permission-allow-env-flag branch from 9c74582 to f3544f8 Compare April 19, 2026 11:26
@nabeel378
permission,doc: fix --allow-env docs and expand test coverage
c54086a 
Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com>
@nabeel378 nabeel378 marked this pull request as ready for review April 19, 2026 12:59
@nabeel378
permission: refactor permission checks and improve test assertions fo…
b6a89cf 
…r environment variables

Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 92.18750% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.62%. Comparing base (58a8e1d) to head (591de5d).
⚠️ Report is 26 commits behind head on main.

Files with missing lines Patch % Lines
src/node_env_var.cc 87.09% 0 Missing and 4 partials ⚠️
src/permission/env_var_permission.cc 95.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62827      +/-   ##
==========================================
- Coverage   89.69%   89.62%   -0.08%     
==========================================
  Files         706      708       +2     
  Lines      218222   219207     +985     
  Branches    41768    42003     +235     
==========================================
+ Hits       195731   196456     +725     
- Misses      14411    14622     +211     
- Partials     8080     8129      +49
Files with missing lines Coverage Δ
lib/internal/process/permission.js 100.00% <100.00%> (ø)
src/env.cc 85.34% <100.00%> (-0.11%) ⬇️
src/node_options.cc 76.63% <100.00%> (+0.12%) ⬆️
src/node_options.h 97.98% <100.00%> (ø)
src/permission/env_var_permission.h 100.00% <100.00%> (ø)
src/permission/permission.cc 81.92% <100.00%> (+0.33%) ⬆️
src/permission/permission.h 100.00% <ø> (ø)
src/permission/env_var_permission.cc 95.00% <95.00%> (ø)
src/node_env_var.cc 82.08% <87.09%> (-0.13%) ⬇️

... and 42 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nabeel378
permission: fix env var default behavior and add manpage docs
cba1261 
Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com>
@nabeel378
chore: re-trigger CI
5131c17 
Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com>
@nabeel378 nabeel378 mentioned this pull request Apr 21, 2026
Open
thisalihassan
thisalihassan reviewed Apr 21, 2026
View reviewed changes
Comment thread doc/api/cli.md

> Stability: 1.1 - Active development

When using the [Permission Model][], access to environment variables is
Copy link
Copy Markdown
Contributor

@thisalihassan thisalihassan Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This paragraph and the console block below it describe a deny-by-default model that the code does not implement

./out/Release/node --permission '--allow-fs-read=*' -p 'process.env.HOME'
/Users/thisalihassan

Copy link
Copy Markdown
Contributor Author

@nabeel378 nabeel378 Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! You're right, env vars are unrestricted by default with --permission. They only get restricted when --allow-env is explicitly passed. Updated both cli.md and process.md with the correct description and working examples.

Comment thread doc/api/cli.md Outdated
```

```console
$ node --permission index.js
Copy link
Copy Markdown
Contributor

@thisalihassan thisalihassan Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As written, this output is unreachable

./out/Release/node --permission test.js
/Users/thisalihassan

Comment thread doc/api/process.md
The `process.env` property returns an object containing the user environment.
See environ(7).

When the [Permission Model][] is enabled, access to environment variables is
Copy link
Copy Markdown
Contributor

@thisalihassan thisalihassan Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as cli.md

@nabeel378
doc: fix --allow-env docs to describe opt-in model
591de5d 
The documentation incorrectly described env var restriction as
deny-by-default when --permission is used. In reality, env vars
are unrestricted by default and only become restricted when
--allow-env is explicitly passed. Update cli.md and process.md
to accurately reflect this behavior.

Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com>
@nabeel378 nabeel378 requested a review from thisalihassan April 21, 2026 17:01
@thisalihassan
Copy link
Copy Markdown
Contributor

thisalihassan commented Apr 21, 2026

I don't think this PR as it stands closes #62424, the issue asked for a deny-by-default model with throw-on-read, matching Deno and consistent with the rest of the permission model which doesn't defend against the threat the issue was explicitly motivated by

The PR description is no longer accurate according to the current opt-in model

@nabeel378
Copy link
Copy Markdown
Contributor Author

nabeel378 commented Apr 21, 2026

I don't think this PR as it stands closes #62424, the issue asked for a deny-by-default model with throw-on-read, matching Deno and consistent with the rest of the permission model which doesn't defend against the threat the issue was explicitly motivated by

The PR description is no longer accurate according to the current opt-in model

I missed that. Switching to deny-by-default to stay consistent with the other permission flags and update desc proper.

@RafaelGSS RafaelGSS added the permission Issues and PRs related to the Permission Model label Apr 21, 2026
@RafaelGSS RafaelGSS requested review from RafaelGSS and removed request for thisalihassan April 21, 2026 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafaelGSS RafaelGSS Awaiting requested review from RafaelGSS

1 more reviewer

@thisalihassan thisalihassan thisalihassan left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. permission Issues and PRs related to the Permission Model

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add --allow-env flag to Permission Model for restricting environment variable access

4 participants

@nabeel378 @nodejs-github-bot @thisalihassan @RafaelGSS