From 9cde2d97ba1c04ea1996bcd5d8317ab38b9dee9c Mon Sep 17 00:00:00 2001
From: Yoshiya Hinosawa <stibium121@gmail.com>
Date: Fri, 7 Feb 2025 14:06:32 +0900
Subject: [PATCH] grant net permission for ips when net perms given to hostname

---
 ext/node/lib.rs            |  6 ++++++
 ext/node/ops/dns.rs        | 18 ++++++++++++------
 runtime/permissions/lib.rs | 14 ++++++++++++++
 runtime/snapshot.rs        |  3 +++
 4 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/ext/node/lib.rs b/ext/node/lib.rs
index 9fb73bf60936ed..c1108ee92be3be 100644
--- a/ext/node/lib.rs
+++ b/ext/node/lib.rs
@@ -87,6 +87,7 @@ pub trait NodePermissions {
     path: &str,
     api_name: Option<&str>,
   ) -> Result<PathBuf, PermissionCheckError>;
+  fn grant_net(&mut self, host: &str, port: Option<u16>);
 }
 
 impl NodePermissions for deno_permissions::PermissionsContainer {
@@ -147,6 +148,11 @@ impl NodePermissions for deno_permissions::PermissionsContainer {
   ) -> Result<(), PermissionCheckError> {
     deno_permissions::PermissionsContainer::check_sys(self, kind, api_name)
   }
+
+  fn grant_net(&mut self, host: &str, port: Option<u16>) {
+    // ignore the result when host parsing fails
+    _ = deno_permissions::PermissionsContainer::grant_net(self, host, port);
+  }
 }
 
 #[allow(clippy::disallowed_types)]
diff --git a/ext/node/ops/dns.rs b/ext/node/ops/dns.rs
index 1a8e5b95fe5e44..c3e2f00c989b26 100644
--- a/ext/node/ops/dns.rs
+++ b/ext/node/ops/dns.rs
@@ -44,6 +44,7 @@ where
     let permissions = state_.borrow_mut::<P>();
     permissions.check_net((hostname.as_str(), None), "lookup")?;
   }
+
   let mut resolver = GaiResolver::new();
   let name = Name::from_str(&hostname)
     .map_err(|_| GetAddrInfoError::Resolution(hostname.clone()))?;
@@ -52,14 +53,19 @@ where
     .await
     .map_err(|_| GetAddrInfoError::Resolution(hostname))
     .map(|addrs| {
+      let mut state_ = state.borrow_mut();
+      let permissions = state_.borrow_mut::<P>();
       addrs
         .into_iter()
-        .map(|addr| GetAddrInfoResult {
-          family: match addr {
-            std::net::SocketAddr::V4(_) => 4,
-            std::net::SocketAddr::V6(_) => 6,
-          },
-          address: addr.ip().to_string(),
+        .map(|addr| {
+          permissions.grant_net(&addr.ip().to_string(), None);
+          GetAddrInfoResult {
+            family: match addr {
+              std::net::SocketAddr::V4(_) => 4,
+              std::net::SocketAddr::V6(_) => 6,
+            },
+            address: addr.ip().to_string(),
+          }
         })
         .collect::<Vec<_>>()
     })
diff --git a/runtime/permissions/lib.rs b/runtime/permissions/lib.rs
index 3a357d2d44a8ef..8873312eb25c6c 100644
--- a/runtime/permissions/lib.rs
+++ b/runtime/permissions/lib.rs
@@ -3344,6 +3344,20 @@ impl PermissionsContainer {
       ),
     )
   }
+
+  pub fn grant_net(
+    &self,
+    host: &str,
+    port: Option<u16>,
+  ) -> Result<bool, NetDescriptorParseError> {
+    Ok(
+      self
+        .inner
+        .lock()
+        .net
+        .insert_granted(Some(&NetDescriptor(Host::parse(host)?, port))),
+    )
+  }
 }
 
 const fn unit_permission_from_flag_bools(
diff --git a/runtime/snapshot.rs b/runtime/snapshot.rs
index 237c05f40b7ae6..8e16499b305175 100644
--- a/runtime/snapshot.rs
+++ b/runtime/snapshot.rs
@@ -121,6 +121,9 @@ impl deno_node::NodePermissions for Permissions {
   ) -> Result<(), PermissionCheckError> {
     unreachable!("snapshotting!")
   }
+  fn grant_net(&mut self, _host: &str, _port: Option<u16>) {
+    unreachable!("snapshotting!")
+  }
 }
 
 impl deno_net::NetPermissions for Permissions {