grant net permission for ips when net perms given to hostname

denoland · Feb 7, 2025 · bc43984 · bc43984
1 parent d0a4740
commit bc43984
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 11 deletions.
diff --git a/ext/node/lib.rs b/ext/node/lib.rs
@@ -87,6 +87,7 @@ pub trait NodePermissions {
     path: &str,
     api_name: Option<&str>,
   ) -> Result<PathBuf, PermissionCheckError>;
+  fn grant_net(&mut self, host: &str, port: Option<u16>);
 }
 
 impl NodePermissions for deno_permissions::PermissionsContainer {
@@ -147,6 +148,11 @@ impl NodePermissions for deno_permissions::PermissionsContainer {
   ) -> Result<(), PermissionCheckError> {
     deno_permissions::PermissionsContainer::check_sys(self, kind, api_name)
   }
+
+  fn grant_net(&mut self, host: &str, port: Option<u16>) {
+    // ignore the result when host parsing fails
+    _ = deno_permissions::PermissionsContainer::grant_net(self, host, port);
+  }
 }
 
 #[allow(clippy::disallowed_types)]

diff --git a/ext/node/ops/dns.rs b/ext/node/ops/dns.rs
@@ -39,11 +39,10 @@ pub async fn op_getaddrinfo<P>(
 where
   P: crate::NodePermissions + 'static,
 {
-  {
-    let mut state_ = state.borrow_mut();
-    let permissions = state_.borrow_mut::<P>();
-    permissions.check_net((hostname.as_str(), None), "lookup")?;
-  }
+  let mut state_ = state.borrow_mut();
+  let permissions = state_.borrow_mut::<P>();
+  permissions.check_net((hostname.as_str(), None), "lookup")?;
+
   let mut resolver = GaiResolver::new();
   let name = Name::from_str(&hostname)
     .map_err(|_| GetAddrInfoError::Resolution(hostname.clone()))?;
@@ -54,12 +53,15 @@ where
     .map(|addrs| {
       addrs
         .into_iter()
-        .map(|addr| GetAddrInfoResult {
-          family: match addr {
-            std::net::SocketAddr::V4(_) => 4,
-            std::net::SocketAddr::V6(_) => 6,
-          },
-          address: addr.ip().to_string(),
+        .map(|addr| {
+          permissions.grant_net(&addr.ip().to_string(), None);
+          GetAddrInfoResult {
+            family: match addr {
+              std::net::SocketAddr::V4(_) => 4,
+              std::net::SocketAddr::V6(_) => 6,
+            },
+            address: addr.ip().to_string(),
+          }
         })
         .collect::<Vec<_>>()
     })

diff --git a/runtime/permissions/lib.rs b/runtime/permissions/lib.rs
@@ -3344,6 +3344,20 @@ impl PermissionsContainer {
       ),
     )
   }
+
+  pub fn grant_net(
+    &self,
+    host: &str,
+    port: Option<u16>,
+  ) -> Result<bool, NetDescriptorParseError> {
+    Ok(
+      self
+        .inner
+        .lock()
+        .net
+        .insert_granted(Some(&NetDescriptor(Host::parse(host)?, port))),
+    )
+  }
 }
 
 const fn unit_permission_from_flag_bools(

diff --git a/runtime/snapshot.rs b/runtime/snapshot.rs
@@ -121,6 +121,9 @@ impl deno_node::NodePermissions for Permissions {
   ) -> Result<(), PermissionCheckError> {
     unreachable!("snapshotting!")
   }
+  fn grant_net(&mut self, _host: &str, _port: Option<u16>) {
+    unreachable!("snapshotting!")
+  }
 }
 
 impl deno_net::NetPermissions for Permissions {