grant net permission for ips when net perms given to hostname

kt3k · kt3k · commit bc4398467fca · 2025-02-07T14:06:32.000+09:00
diff --git a/ext/node/lib.rs b/ext/node/lib.rs
@@ -87,6 +87,7 @@ pub trait NodePermissions {
     path: &str,
     api_name: Option<&str>,
   ) -> Result<PathBuf, PermissionCheckError>;
+  fn grant_net(&mut self, host: &str, port: Option<u16>);
 }
 
 impl NodePermissions for deno_permissions::PermissionsContainer {
@@ -147,6 +148,11 @@ impl NodePermissions for deno_permissions::PermissionsContainer {
   ) -> Result<(), PermissionCheckError> {
     deno_permissions::PermissionsContainer::check_sys(self, kind, api_name)
   }
+
+  fn grant_net(&mut self, host: &str, port: Option<u16>) {
+    // ignore the result when host parsing fails
+    _ = deno_permissions::PermissionsContainer::grant_net(self, host, port);
+  }
 }
 
 #[allow(clippy::disallowed_types)]
diff --git a/ext/node/ops/dns.rs b/ext/node/ops/dns.rs
@@ -39,11 +39,10 @@ pub async fn op_getaddrinfo<P>(
 where
   P: crate::NodePermissions + 'static,
 {
-  {
-    let mut state_ = state.borrow_mut();
-    let permissions = state_.borrow_mut::<P>();
-    permissions.check_net((hostname.as_str(), None), "lookup")?;
-  }
+  let mut state_ = state.borrow_mut();
+  let permissions = state_.borrow_mut::<P>();
+  permissions.check_net((hostname.as_str(), None), "lookup")?;
+
   let mut resolver = GaiResolver::new();
   let name = Name::from_str(&hostname)
     .map_err(|_| GetAddrInfoError::Resolution(hostname.clone()))?;
@@ -54,12 +53,15 @@ where
     .map(|addrs| {
       addrs
         .into_iter()
-        .map(|addr| GetAddrInfoResult {
-          family: match addr {
-            std::net::SocketAddr::V4(_) => 4,
-            std::net::SocketAddr::V6(_) => 6,
-          },
-          address: addr.ip().to_string(),
+        .map(|addr| {
+          permissions.grant_net(&addr.ip().to_string(), None);
+          GetAddrInfoResult {
+            family: match addr {
+              std::net::SocketAddr::V4(_) => 4,
+              std::net::SocketAddr::V6(_) => 6,
+            },
+            address: addr.ip().to_string(),
+          }
         })
         .collect::<Vec<_>>()
     })
diff --git a/runtime/permissions/lib.rs b/runtime/permissions/lib.rs
@@ -3344,6 +3344,20 @@ impl PermissionsContainer {
       ),
     )
   }
+
+  pub fn grant_net(
+    &self,
+    host: &str,
+    port: Option<u16>,
+  ) -> Result<bool, NetDescriptorParseError> {
+    Ok(
+      self
+        .inner
+        .lock()
+        .net
+        .insert_granted(Some(&NetDescriptor(Host::parse(host)?, port))),
+    )
+  }
 }
 
 const fn unit_permission_from_flag_bools(
diff --git a/runtime/snapshot.rs b/runtime/snapshot.rs
@@ -121,6 +121,9 @@ impl deno_node::NodePermissions for Permissions {
   ) -> Result<(), PermissionCheckError> {
     unreachable!("snapshotting!")
   }
+  fn grant_net(&mut self, _host: &str, _port: Option<u16>) {
+    unreachable!("snapshotting!")
+  }
 }
 
 impl deno_net::NetPermissions for Permissions {

Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,7 @@ pub trait NodePermissions {`
`87`	`87`	`path: &str,`
`88`	`88`	`api_name: Option<&str>,`
`89`	`89`	`) -> Result<PathBuf, PermissionCheckError>;`
	`90`	`+ fn grant_net(&mut self, host: &str, port: Option<u16>);`
`90`	`91`	`}`
`91`	`92`
`92`	`93`	`impl NodePermissions for deno_permissions::PermissionsContainer {`
`@@ -147,6 +148,11 @@ impl NodePermissions for deno_permissions::PermissionsContainer {`
`147`	`148`	`) -> Result<(), PermissionCheckError> {`
`148`	`149`	`deno_permissions::PermissionsContainer::check_sys(self, kind, api_name)`
`149`	`150`	`}`
	`151`	`+`
	`152`	`+ fn grant_net(&mut self, host: &str, port: Option<u16>) {`
	`153`	`+ // ignore the result when host parsing fails`
	`154`	`+ _ = deno_permissions::PermissionsContainer::grant_net(self, host, port);`
	`155`	`+ }`
`150`	`156`	`}`
`151`	`157`
`152`	`158`	`#[allow(clippy::disallowed_types)]`
Original file line number	Diff line number	Diff line change
`@@ -121,6 +121,9 @@ impl deno_node::NodePermissions for Permissions {`
`121`	`121`	`) -> Result<(), PermissionCheckError> {`
`122`	`122`	`unreachable!("snapshotting!")`
`123`	`123`	`}`
	`124`	`+ fn grant_net(&mut self, _host: &str, _port: Option<u16>) {`
	`125`	`+ unreachable!("snapshotting!")`
	`126`	`+ }`
`124`	`127`	`}`
`125`	`128`
`126`	`129`	`impl deno_net::NetPermissions for Permissions {`