Skip to content

permission: add --allow-env flag for environment variable access control#62827

Open
nabeel378 wants to merge 12 commits intonodejs:mainfrom
nabeel378:feat/permission-allow-env-flag
Open

permission: add --allow-env flag for environment variable access control#62827
nabeel378 wants to merge 12 commits intonodejs:mainfrom
nabeel378:feat/permission-allow-env-flag

Conversation

@nabeel378
Copy link
Copy Markdown
Contributor

@nabeel378 nabeel378 commented Apr 19, 2026
edited
Loading

Adds --allow-env permission flag to control access to environment variables when the permission model is enabled (--permission).

Supported usage:

  • --allow-env=* — grants access to all environment variables
  • --allow-env=HOME,PATH — grants access only to specified variables

When --permission is enabled without --allow-env, reading a restricted variable silently returns undefined, writing or deleting throws ERR_ACCESS_DENIED, and enumerating (Object.keys(process.env)) returns only allowed variables.

Fixes: #62424

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 19, 2026

Review requested:

  • @nodejs/config
  • @nodejs/gyp
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Apr 19, 2026
@nabeel378 nabeel378 marked this pull request as draft April 19, 2026 10:23
@nabeel378 nabeel378 force-pushed the feat/permission-allow-env-flag branch from 9c74582 to f3544f8 Compare April 19, 2026 11:26
@nabeel378 nabeel378 marked this pull request as ready for review April 19, 2026 12:59
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 89.06250% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.62%. Comparing base (0a9b67e) to head (4cdd6ec).
⚠️ Report is 33 commits behind head on main.

Files with missing lines Patch % Lines
src/node_env_var.cc 87.09% 0 Missing and 4 partials ⚠️
src/permission/env_var_permission.cc 85.00% 1 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62827      +/-   ##
==========================================
- Coverage   89.64%   89.62%   -0.02%     
==========================================
  Files         707      709       +2     
  Lines      219506   219570      +64     
  Branches    42087    42098      +11     
==========================================
+ Hits       196782   196799      +17     
- Misses      14625    14660      +35     
- Partials     8099     8111      +12
Files with missing lines Coverage Δ
lib/internal/process/permission.js 83.87% <100.00%> (-16.13%) ⬇️
src/env.cc 85.61% <100.00%> (-0.03%) ⬇️
src/node_options.cc 76.63% <100.00%> (+0.02%) ⬆️
src/node_options.h 97.98% <ø> (ø)
src/permission/env_var_permission.h 100.00% <100.00%> (ø)
src/permission/permission.cc 81.92% <100.00%> (+0.33%) ⬆️
src/permission/permission.h 100.00% <ø> (ø)
src/permission/env_var_permission.cc 85.00% <85.00%> (ø)
src/node_env_var.cc 82.08% <87.09%> (-0.13%) ⬇️

... and 23 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nabeel378 nabeel378 mentioned this pull request Apr 21, 2026
Open
thisalihassan
thisalihassan reviewed Apr 21, 2026
View reviewed changes
Comment thread doc/api/cli.md

> Stability: 1.1 - Active development

When using the [Permission Model][], access to environment variables is
Copy link
Copy Markdown
Contributor

@thisalihassan thisalihassan Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This paragraph and the console block below it describe a deny-by-default model that the code does not implement

./out/Release/node --permission '--allow-fs-read=*' -p 'process.env.HOME'
/Users/thisalihassan

Copy link
Copy Markdown
Contributor Author

@nabeel378 nabeel378 Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! You're right, env vars are unrestricted by default with --permission. They only get restricted when --allow-env is explicitly passed. Updated both cli.md and process.md with the correct description and working examples.

Comment thread doc/api/cli.md Outdated
```

```console
$ node --permission index.js
Copy link
Copy Markdown
Contributor

@thisalihassan thisalihassan Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As written, this output is unreachable

./out/Release/node --permission test.js
/Users/thisalihassan

Comment thread doc/api/process.md
The `process.env` property returns an object containing the user environment.
See environ(7).

When the [Permission Model][] is enabled, access to environment variables is
Copy link
Copy Markdown
Contributor

@thisalihassan thisalihassan Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as cli.md

@nabeel378 nabeel378 requested a review from thisalihassan April 21, 2026 17:01
@thisalihassan
Copy link
Copy Markdown
Contributor

thisalihassan commented Apr 21, 2026

I don't think this PR as it stands closes #62424, the issue asked for a deny-by-default model with throw-on-read, matching Deno and consistent with the rest of the permission model which doesn't defend against the threat the issue was explicitly motivated by

The PR description is no longer accurate according to the current opt-in model

@nabeel378
Copy link
Copy Markdown
Contributor Author

nabeel378 commented Apr 21, 2026

I don't think this PR as it stands closes #62424, the issue asked for a deny-by-default model with throw-on-read, matching Deno and consistent with the rest of the permission model which doesn't defend against the threat the issue was explicitly motivated by

The PR description is no longer accurate according to the current opt-in model

I missed that. Switching to deny-by-default to stay consistent with the other permission flags and update desc proper.

@RafaelGSS RafaelGSS added the permission Issues and PRs related to the Permission Model label Apr 21, 2026
@RafaelGSS RafaelGSS requested review from RafaelGSS and removed request for thisalihassan April 21, 2026 20:01
@nabeel378 nabeel378 force-pushed the feat/permission-allow-env-flag branch 2 times, most recently from 6a95f6e to 33a1126 Compare April 24, 2026 05:36
nabeel378 added 12 commits April 27, 2026 17:29
@nabeel378
permission: add --allow-env option for environment variable permissions
8455eff 
Signed-off-by: nabeel378 <[email protected]>
@nabeel378
doc: add documentation for --allow-env flag in CLI and permissions
4a49c92 
Signed-off-by: nabeel378 <[email protected]>
@nabeel378
permission: add --allow-env option for environment variable permissions
41b9f28
@nabeel378
permission,doc: fix --allow-env docs and expand test coverage
d5d7755 
Signed-off-by: nabeel378 <[email protected]>
@nabeel378
permission: refactor permission checks and improve test assertions fo…
db40f55 
…r environment variables

Signed-off-by: nabeel378 <[email protected]>
@nabeel378
permission: fix env var default behavior and add manpage docs
a7896b0 
Signed-off-by: nabeel378 <[email protected]>
@nabeel378
chore: re-trigger CI
4a754e6 
Signed-off-by: nabeel378 <[email protected]>
@nabeel378
doc: fix --allow-env docs to describe opt-in model
0e6f58f 
The documentation incorrectly described env var restriction as
deny-by-default when --permission is used. In reality, env vars
are unrestricted by default and only become restricted when
--allow-env is explicitly passed. Update cli.md and process.md
to accurately reflect this behavior.

Signed-off-by: nabeel378 <[email protected]>
@nabeel378
permission: update documentation and tests for --allow-env flag behavior
3cc6175 
Signed-off-by: nabeel378 <[email protected]>
@nabeel378
doc: update CLI documentation for environment variable permission checks
c170880
@nabeel378
benchmark: add --allow-env=* flag to permission benchmarks
6006969
@nabeel378
chore: re-trigger CI
4cdd6ec
@nabeel378 nabeel378 force-pushed the feat/permission-allow-env-flag branch from 73d59fb to 4cdd6ec Compare April 27, 2026 12:30
@nabeel378
Copy link
Copy Markdown
Contributor Author

nabeel378 commented Apr 28, 2026

@RafaelGSS please review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafaelGSS RafaelGSS Awaiting requested review from RafaelGSS

1 more reviewer

@thisalihassan thisalihassan thisalihassan left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. permission Issues and PRs related to the Permission Model

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add --allow-env flag to Permission Model for restricting environment variable access

4 participants

@nabeel378 @nodejs-github-bot @thisalihassan @RafaelGSS