src,permission: implicit allow-fs-read to app entrypoint

This commit automatically includes in the allow-fs-read
list all the app's entrypoints.

`--require` and user entry point

Signed-off-by: RafaelGSS <[email protected]>
PR-URL: #58579
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>

Author: RafaelGSS

doc/api/cli.md

@@ -195,6 +195,9 @@ process.
 <!-- YAML
 added: v20.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/58579
+    description: Entrypoints of your application are allowed to be read implicitly.
   - version: v22.13.0
     pr-url: https://github.com/nodejs/node/pull/56201
     description: Permission Model and --allow-fs flags are stable.
@@ -214,23 +217,20 @@ The valid arguments for the `--allow-fs-read` flag are:
 
 Examples can be found in the [File System Permissions][] documentation.
 
-The initializer module also needs to be allowed. Consider the following example:
+The initializer module and custom `--require` modules has a implicit
+read permission.
 
 ```console
-$ node --permission index.js
-
-Error: Access to this API has been restricted
-    at node:internal/main/run_main_module:23:47 {
-  code: 'ERR_ACCESS_DENIED',
-  permission: 'FileSystemRead',
-  resource: '/Users/rafaelgss/repos/os/node/index.js'
-}
+$ node --permission -r custom-require.js -r custom-require-2.js index.js
 ```
 
-The process needs to have access to the `index.js` module:
+* The `custom-require.js`, `custom-require-2.js`, and `index.js` will be
+  by default in the allowed read list.
 
-```bash
-node --permission --allow-fs-read=/path/to/index.js index.js
+```js
+process.has('fs.read', 'index.js'); // true
+process.has('fs.read', 'custom-require.js'); // true
+process.has('fs.read', 'custom-require-2.js'); // true
 ```
 
 ### `--allow-fs-write`

doc/api/permissions.md

@@ -102,6 +102,23 @@ $ node --permission --allow-fs-read=* --allow-fs-write=* index.js
 Hello world!
 ```
 
+By default the entrypoints of your application are included
+in the allowed file system read list. For example:
+
+```console
+$ node --permission index.js
+```
+
+* `index.js` will be included in the allowed file system read list
+
+```console
+$ node -r /path/to/custom-require.js --permission index.js.
+```
+
+* `/path/to/custom-require.js` will be included in the allowed file system read
+  list.
+* `index.js` will be included in the allowed file system read list.
+
 The valid arguments for both flags are:
 
 * `*` - To allow all `FileSystemRead` or `FileSystemWrite` operations,

src/env.cc

@@ -952,6 +952,25 @@ Environment::Environment(IsolateData* isolate_data,
       permission()->Apply(this, {"*"}, permission::PermissionScope::kWASI);
     }
 
+    // Implicit allow entrypoint to kFileSystemRead
+    if (!options_->has_eval_string && !options_->force_repl) {
+      std::string first_argv;
+      if (argv_.size() > 1) {
+        first_argv = argv_[1];
+      }
+
+      // Also implicit allow preloaded modules to kFileSystemRead
+      if (!options_->preload_cjs_modules.empty()) {
+        for (const std::string& mod : options_->preload_cjs_modules) {
+          options_->allow_fs_read.push_back(mod);
+        }
+      }
+
+      if (first_argv != "inspect") {
+        options_->allow_fs_read.push_back(first_argv);
+      }
+    }
+
     if (!options_->allow_fs_read.empty()) {
       permission()->Apply(this,
                           options_->allow_fs_read,

test/fixtures/permission/fs-read-loader.js

@@ -0,0 +1,15 @@
+const fs = require('node:fs')
+const path = require('node:path')
+const assert = require('node:assert');
+
+{
+  fs.readFileSync(__filename);
+  console.log('Read its own contents') // Should not throw
+}
+{
+  const simpleLoaderPath = path.join(__dirname, 'simple-loader.js');
+  fs.readFile(simpleLoaderPath, (err) => {
+    assert.ok(err.code, 'ERR_ACCESS_DENIED');
+    assert.ok(err.permission, 'FileSystemRead');
+  }); // Should throw ERR_ACCESS_DENIED
+}

test/fixtures/permission/hello-world.js

@@ -0,0 +1 @@
+console.log('Hello world')

test/fixtures/permission/simple-loader.js

@@ -0,0 +1,3 @@
+// Simulate a regular loading without fs operations
+// but with access to Node core modules
+require('node:fs')

test/parallel/test-permission-fs-read-entrypoint.js

@@ -0,0 +1,38 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+if (!common.hasCrypto) {
+  common.skip('no crypto');
+}
+
+const assert = require('assert');
+const fixtures = require('../common/fixtures');
+const { spawnSync } = require('child_process');
+
+const file = fixtures.path('permission', 'hello-world.js');
+const simpleLoader = fixtures.path('permission', 'simple-loader.js');
+const fsReadLoader = fixtures.path('permission', 'fs-read-loader.js');
+
+[
+  '',
+  simpleLoader,
+  fsReadLoader,
+].forEach((arg0) => {
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      arg0 !== '' ? '-r' : '',
+      arg0,
+      '--permission',
+      file,
+    ],
+  );
+  assert.strictEqual(status, 0, `${arg0} Error: ${stderr.toString()}`);
+});

test/parallel/test-permission-fs-read.js

@@ -32,7 +32,11 @@ const commonPath = path.join(__filename, '../../common');
   const { status, stderr } = spawnSync(
     process.execPath,
     [
-      '--permission', `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, file,
+      '--permission',
+      // Do not uncomment this line
+      // `--allow-fs-read=${file}`,
+      `--allow-fs-read=${commonPathWildcard}`,
+      file,
     ],
     {
       env: {